每周高级威胁情报解读(2025.05.02~05.08)
APT35组织最新攻击活动分析;Lemon Sandstorm 入侵中东关键国家基础设施;“Operation Deceptive Prospect”活动通过客户反馈门户瞄准英国组织;APT36假冒印度国防部网站部署跨平台恶意软件
Aggregator
每周高级威胁情报解读(2025.05.02~05.08)
9 months ago
APT35组织最新攻击活动分析;Lemon Sandstorm 入侵中东关键国家基础设施;“Operation Deceptive Prospect”活动通过客户反馈门户瞄准英国组织;APT36假冒印度国防部网站部署跨平台恶意软件
云安全风险态势(2025.4.1-4.30)
9 months ago
腾讯云安全基于云视角持续监测安全威胁,关注新曝光漏洞武器,实时监测针对云上资产的各类攻击行为,感知在野攻击情况。
云安全风险态势(2025.4.1-4.30)
9 months ago
腾讯云安全基于云视角持续监测安全威胁,关注新曝光漏洞武器,实时监测针对云上资产的各类攻击行为,感知在野攻击情况。
2025 数字中国创新大赛 |「小米人车家生态安全左移」项目摘得银奖
9 months ago
2025 数字中国创新大赛 |「小米人车家生态安全左移」项目摘得银奖
9 months ago
Cats Tower 游戏泄露 45 万用户隐私数据
9 months ago
HackerNews 编译,转载请注明出处: 网络安全研究人员发现iOS游戏《Cats Tower: The Cat Game!》存在数据泄露,该应用使近45万用户面临被黑客追踪、劫持Facebook账户甚至武器化其后端系统的风险。Cybernews团队确认,这款由App Store显示开发商为Rhino Games(隐私政策链接指向亚美尼亚移动游戏公司Next Epic LLC)的游戏,因Firebase配置错误导致以下信息暴露:用户名称、IP地址、Facebook用户ID及访问令牌以及硬编码密钥。 泄露的IP地址虽非精确GPS坐标,但结合其他公开或泄露数据仍可定位用户居住地。尤其危险的是229组Facebook访问令牌,攻击者可借此侵入账户发布加密货币诈骗或向好友发送钓鱼链接。研究人员多次联系相关公司均未获回应。 调查期间,暴露的Firebase实例持续泄露超45万用户的IP与用户名,由于Firebase作为临时数据库会定期与永久后端同步,当前可见数据可能只是冰山一角。技术娴熟的黑客可部署实时爬虫监控数据库,将单次泄露转为持续性监控行动。 更严重的是,该应用代码库中散布着本应对开发团队保密的敏感密钥,包括:客户端ID、反向客户端ID、安卓客户端ID、API密钥、项目ID、存储桶、谷歌应用ID、数据库URL、GAD应用标识符。 这些密钥属于iOS应用中最常泄露的前十类敏感信息。网络安全专家警告,将API密钥等凭证硬编码至发布版应用的行为存在极大风险,攻击者可借此逆向工程整个后端系统,滥用服务收集更多用户数据、伪造请求甚至通过应用基础设施直接发送垃圾信息。 此次泄露事件是Cybernews对App Store中15.6万款iOS应用(约占总量8%)调查的典型案例。研究发现71%的受检应用至少泄露一项密钥,平均每款应用暴露5.2项敏感信息。例如多款热门约会应用泄露的硬编码凭证可访问存有近150万用户照片的云存储桶(含已删除图片、违规内容及私密消息图片);某家庭位置追踪应用实时泄露GPS坐标;某防骚扰应用泄露拦截号码、关键词及含真实姓名/邮件的客服工单。 消息来源: cybernews; 本文由 HackerNews.cc 翻译整理,封面来源于网络; 转载请注明“转自 HackerNews.cc”并附上原文
hackernews
CVE-2020-6226 | SAP Business Intelligence Platform 4.2 cross site scripting
9 months ago
A vulnerability, which was classified as problematic, was found in SAP Business Intelligence Platform 4.2. This affects an unknown part. The manipulation leads to basic cross site scripting.
This vulnerability is uniquely identified as CVE-2020-6226. It is possible to initiate the attack remotely. There is no exploit available.
vuldb.com
CVE-2020-6227 | SAP Business Intelligence Platform 4.2 GIOP Packet privileges management
9 months ago
A vulnerability has been found in SAP Business Intelligence Platform 4.2 and classified as critical. This vulnerability affects unknown code of the component GIOP Packet Handler. The manipulation leads to improper privilege management.
This vulnerability was named CVE-2020-6227. The attack can be initiated remotely. There is no exploit available.
vuldb.com
CVE-2020-6228 | SAP Business Client 6.5/7.0 Integrity Check privileges management
9 months ago
A vulnerability was found in SAP Business Client 6.5/7.0 and classified as critical. This issue affects some unknown processing of the component Integrity Check. The manipulation leads to improper privilege management.
The identification of this vulnerability is CVE-2020-6228. The attack may be initiated remotely. There is no exploit available.
vuldb.com
CVE-2020-6229 | SAP NetWeaver AS ABAP up to 752 Reflected cross site scripting
9 months ago
A vulnerability was found in SAP NetWeaver AS ABAP up to 752. It has been classified as problematic. Affected is an unknown function. The manipulation leads to basic cross site scripting (Reflected).
This vulnerability is traded as CVE-2020-6229. It is possible to launch the attack remotely. There is no exploit available.
vuldb.com
CVE-2020-6231 | SAP Business Intelligence Platform 4.2 cross site scripting
9 months ago
A vulnerability was found in SAP Business Intelligence Platform 4.2. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting.
This vulnerability is handled as CVE-2020-6231. The attack may be launched remotely. There is no exploit available.
vuldb.com
CVE-2020-7574 | Climatix POL908/POL909 Server Config Web Interface Persistent cross site scripting (ssa-886514)
9 months ago
A vulnerability was found in Climatix POL908 and POL909. It has been declared as problematic. This vulnerability affects unknown code of the component Server Config Web Interface. The manipulation leads to cross site scripting (Persistent).
This vulnerability was named CVE-2020-7574. The attack can be initiated remotely. There is no exploit available.
vuldb.com
CVE-2020-7575 | Climatix POL908/POL909 GET Request Persistent cross site scripting (ssa-886514)
9 months ago
A vulnerability was found in Climatix POL908 and POL909. It has been rated as problematic. This issue affects some unknown processing. The manipulation as part of GET Request leads to basic cross site scripting (Persistent).
The identification of this vulnerability is CVE-2020-7575. The attack may be initiated remotely. There is no exploit available.
vuldb.com
黑客发现绕过 SentinelOne EDR 解决方案的新技术
9 months ago
HackerNews 编译,转载请注明出处: 端点检测与响应(EDR)解决方案已成为多数组织的标准网络安全产品,但它们并非无懈可击。5月5日,怡安集团旗下Stroz Friedberg事件响应服务研究人员发布报告,披露攻击者利用一种新型技术成功绕过头部EDR产品SentinelOne的防护。该技术名为“自带安装程序”(Bring Your Own Installer),通过利用SentinelOne代理程序升级/降级流程中的漏洞,绕过防篡改功能,导致终端失去保护。 Stroz Friedberg研究人员观察到攻击者使用该技术获取本地管理员权限,绕过EDR防护并执行Babuk勒索软件变种。SentinelOne已针对该报告向客户提供缓解措施。“截至报告发布时,怡安集团Stroz Friedberg尚未发现任何EDR厂商(包括SentinelOne)在正确配置产品的情况下受到此攻击影响。”研究人员在报告中指出。 与其他EDR产品类似,SentinelOne的EDR具备防篡改功能,旨在阻止未授权用户禁用防护措施及恶意软件终止EDR进程。该功能需要管理员在管理控制台执行操作或使用唯一代码才能解除防护。然而,Stroz Friedberg研究人员发现攻击者通过利用公开服务器应用的漏洞,获取了运行SentinelOne EDR主机的本地管理员权限。 在系统取证分析中,研究人员发现多项EDR绕过迹象,包括:多个合法签名的SentinelOne安装程序文件(如SentinelOneInstaller_windows_64bit_v23_4_4_223.exe和SentinelInstaller_windows_64bit_v23_4_6_347.msi)的创建记录;与产品版本变更相关的额外事件日志(包括计划任务变更、服务停止/启动事件、本地防火墙配置变更等)。 基于这些发现,Stroz Friedberg研究人员通过实验复现了SentinelOne EDR软件的潜在漏洞。他们在安装23.4.6.223版本SentinelOne EDR的Windows 2022 Server虚拟机上,使用MSI安装程序启动代理程序升级/降级流程。升级/降级过程会在生成新版本进程前约55秒终止所有现有进程,形成短暂的无防护窗口期。研究人员利用本地管理员权限执行taskkill命令终止与升级相关的msiexec.exe进程,最终导致系统失去SentinelOne防护,并在管理控制台显示为离线状态。 针对该发现,SentinelOne迅速向客户发布缓解指南,包括:启用默认开启的本地代理密码功能防止未授权卸载;使用本地升级授权功能确保通过控制台认证升级流程。报告发布后,SentinelOne已对所有新客户默认开启本地更新授权功能,并协助研究人员将攻击模式私下披露给其他EDR厂商。部分被联系厂商未对此攻击模式披露作出回应。 消息来源: infosecurity-magazine; 本文由 HackerNews.cc 翻译整理,封面来源于网络; 转载请注明“转自 HackerNews.cc”并附上原文
hackernews
CVE-2020-8318 | Lenovo System Interface Foundation LenovoSystemUpdatePlugin privileges management
9 months ago
A vulnerability was found in Lenovo System Interface Foundation and classified as problematic. This issue affects some unknown processing of the component LenovoSystemUpdatePlugin. The manipulation leads to improper privilege management.
The identification of this vulnerability is CVE-2020-8318. Local access is required to approach this attack. There is no exploit available.
vuldb.com
CVE-2020-8319 | Lenovo System Interface Foundation up to 1.1.19.2 privileges management
9 months ago
A vulnerability was found in Lenovo System Interface Foundation up to 1.1.19.2. It has been classified as problematic. Affected is an unknown function. The manipulation leads to improper privilege management.
This vulnerability is traded as CVE-2020-8319. Attacking locally is a requirement. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
俄罗斯黑客利用 ClickFix 虚假验证码传播新型 LOSTKEYS 恶意软件
9 months ago
HackerNews 编译,转载请注明出处: 与俄罗斯有关的威胁行为者COLDRIVER被发现分发名为LOSTKEYS的新恶意软件,该行动采用类似ClickFix的社会工程诱饵实施网络间谍活动。谷歌威胁情报组(GTIG)表示:“LOSTKEYS能够从硬编码的扩展名和目录列表中窃取文件,并向攻击者发送系统信息和运行进程。” GTIG称,该恶意软件在2025年1月、3月和4月针对西方政府和军队现任及前任顾问、记者、智库、非政府组织以及乌克兰相关人士的攻击中被发现。LOSTKEYS是COLDRIVER继SPICA之后开发的第二个定制恶意软件,标志着该组织持续偏离其知名的凭证钓鱼活动。该黑客组织还被追踪为Callisto、Star Blizzard和UNC4057。 网络安全研究人员Wesley Shields表示:“他们以窃取凭证闻名,在获取目标账户访问权限后会窃取邮件和联系人列表。在特定案例中,COLDRIVER还会向目标设备投放恶意软件,并试图访问系统文件。” 最新攻击始于包含虚假验证码验证提示的诱饵网站,受害者被要求打开Windows运行对话框并粘贴复制的PowerShell命令。这种被广泛称为ClickFix的社会工程技术会下载并执行远程服务器(“165.227.148[.]68”)的第二阶段载荷,该载荷在可能进行虚拟机检测后才会下载第三阶段恶意软件。 经过Base64编码的第三阶段载荷被解码为PowerShell脚本,负责在受感染主机上执行LOSTKEYS,使攻击者能够收集系统信息、运行进程以及硬编码列表中的文件。与SPICA类似,该恶意软件被认为是选择性部署的,表明攻击具有高度针对性。 谷歌还发现了可追溯至2023年12月的LOSTKEYS伪装样本,这些样本假扮成Maltego开源调查平台的二进制文件。目前尚不清楚这些样本是否与COLDRIVER有关,或恶意软件是否从2025年1月开始被攻击者重新利用。 随着ClickFix技术被更多威胁行为者采用,包括传播银行木马Lampion和窃密软件Atomic Stealer,其应用范围持续扩大。根据Palo Alto Networks Unit 42的分析,传播Lampion的攻击使用带有ZIP附件的钓鱼邮件,压缩包内的HTML文件会将受害者重定向至包含ClickFix指令的虚假登录页面。 “Lampion感染链的另一个有趣之处在于其分为多个非连续阶段,作为独立进程执行,”Unit 42指出,“这种分散式执行使检测复杂化,因为攻击流程不会形成易于识别的进程树,而是由看似无害的独立事件组成复杂链条。”该活动主要针对葡萄牙语用户,涉及政府、金融和运输等多个领域。 近期ClickFix策略还与名为EtherHiding的隐匿技术结合使用,通过币安智能链(BSC)合约隐藏载荷,最终传播macOS窃密软件Atomic Stealer。化名Badbyte的研究人员表示:“点击‘我不是机器人’会触发币安智能合约,使用EtherHiding技术向剪贴板传递Base64编码命令,提示用户通过macOS快捷键(⌘ + Space, ⌘ + V)在终端运行。该命令下载的脚本会获取并执行经签名的Mach-O二进制文件,确认为Atomic Stealer。” 进一步调查发现,该活动可能已入侵约2,800个合法网站来提供虚假验证码提示。研究人员将这次大规模水坑攻击代号定为MacReaper。研究人员补充道。“攻击利用混淆JavaScript、三个全屏iframe和基于区块链的命令基础设施来最大化感染范围,” 消息来源: thehackernews; 本文由 HackerNews.cc 翻译整理,封面来源于网络; 转载请注明“转自 HackerNews.cc”并附上原文
hackernews
No Fairy Tale Ending: PowerSchool's Hacker Targets Customers
9 months ago
After Vendor Paid for Data-Deletion Promise, Criminals Extort Schools Directly
Students, gather round for the sad story of how PowerSchool got schooled by hackers, who stole data on students and teachers. After PowerSchool paid a ransom for a guarantee that the data would be deleted, the bad hackers failed to honor their promise.
Students, gather round for the sad story of how PowerSchool got schooled by hackers, who stole data on students and teachers. After PowerSchool paid a ransom for a guarantee that the data would be deleted, the bad hackers failed to honor their promise.
Live Webinar | 2025 State of the SOC Report: The Impact of AI on SOC Services
9 months ago