Aggregator

安全工作获得成功的前提，是能通过立项获得项目机会。3月5日晚19:30，聊聊企业安全项目立项的那些事

安全工作获得成功的前提，是能通过立项获得项目机会。3月5日晚19:30，聊聊企业安全项目立项的那些事

HackerNews 编译，转载请注明出处： 网络安全研究人员近日指出，一种新的网络钓鱼活动正在利用 ClickFix 技巧来传递一个名为 Havoc 的开源命令与控制（C2）框架。 “威胁行为者将每个恶意软件阶段隐藏在 SharePoint 站点之后，并使用修改版的 Havoc Demon 与 Microsoft Graph API 结合，以在受信任的知名服务中隐藏 C2 通信，”Fortinet ForEGuard Labs 在一份与《黑客新闻》共享的技术报告中表示。 此次攻击的起点是一封包含 HTML 附件（“Documents.html”）的网络钓鱼邮件，当用户打开该附件时，会显示一条错误消息，该消息利用 ClickFix 技巧诱骗用户将恶意 PowerShell 命令复制并粘贴到终端或 PowerShell 中执行，从而触发下一阶段的攻击。 该命令旨在下载并执行托管在攻击者控制的 SharePoint 服务器上的 PowerShell 脚本。新下载的 PowerShell 会检查其是否在沙盒环境中运行，然后才会继续下载 Python 解释器（“pythonw.exe”），如果系统中尚未存在该解释器的话。 通过 SharePoint 站点部署 Havoc C2 接下来的步骤是从同一个 SharePoint 位置获取并执行一个 Python 脚本，该脚本作为 KaynLdr 的 shellcode 加载器，KaynLdr 是一个用 C 和 ASM 编写的反射加载器，能够启动嵌入的 DLL，即在此情况下在受感染主机上启动 Havoc Demon 代理。 “威胁行为者使用 Havoc 与 Microsoft Graph API 结合，以在知名服务中隐藏 C2 通信，”Fortinet 表示，并补充说该框架支持收集信息、执行文件操作、命令和有效载荷执行、令牌操作以及 Kerberos 攻击等功能。 与此同时，Malwarebytes 揭示了威胁行为者继续利用 Google Ads 政策中的已知漏洞，通过可能已被攻陷的广告商账户投放针对 PayPal 客户的虚假广告。 这些广告旨在诱骗那些搜索与账户问题或支付问题相关的帮助的受害者拨打一个欺诈电话，最终可能导致他们交出个人和财务信息。 “Google 登陆页面（也称为最终 URL）政策中的一个弱点，允许任何人只要登陆页面和显示 URL（广告中显示的网页）属于同一域名，就可以冒充热门网站，”Malwarebytes 研究高级总监 Jérôme Segura 说道。 “黑客们就像秃鹫一样，盘旋在最热门的 Google 搜索词之上，尤其是在涉及任何在线帮助或客户服务时。”   消息来源：The Hacker News；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

The adoption of privacy enhancing technologies, including fully homomorphic encryption, can help secure data as it is collected, integrated and shared for detecting and responding to public health emergencies such as bird flu, said Kurt Rohloff, co-founder and CTO of Duality Technologies.

Reports: Cyber Command Ordered to Halt Offensive Operations Against Russia
Russia won't have the United States to worry about in cyberspace in an apparent concession to Moscow meant to grease talks between the two capitals over the fate of Ukraine. Defense Secretary Pete Hegseth ordered U.S. Cyber Command to halt offensive cyber operations against Russia.

AI-Driven Incident Response, Observability Boost SolarWinds' Operational Efficiency
SolarWinds' acquisition of Squadcast strengthens its IT management portfolio with AI-powered incident response. Customers report faster remediation, reduced noise and improved resilience. The integration promises a smarter, more efficient approach to IT operations.

Committee Witnesses Favor Resilience Over Bans
The British government should focus on building operational resilience rather than imposing ransom payment bans, security experts told a parliamentary committee. The British government in January floated a ban on the public sector and critical infrastructure owners paying digital extortion.

HackerNews 编译，转载请注明出处： 据 Palo Alto Networks Unit 42 的调查发现，网络犯罪分子正将目标对准亚马逊网络服务（AWS）环境，向毫无戒心的目标推送网络钓鱼活动。 这家网络安全公司正在追踪一个名为 TGR-UNK-0011（代表动机不明的威胁组织）的活动集群，该公司表示，该集群与一个名为 JavaGhost 的组织有重叠。据悉，TGR-UNK-0011 自 2019 年以来一直活跃。 “该组织历史上一直专注于网站篡改，”安全研究员玛格丽特・凯利（Margaret Kelley）表示。“2022 年，他们转向发送网络钓鱼电子邮件以谋取经济利益。” 值得注意的是，这些攻击并未利用 AWS 的任何漏洞。相反，威胁行为者利用受害者环境中暴露的 AWS 访问密钥的配置错误，通过滥用亚马逊简单电子邮件服务（SES）和 WorkMail 服务发送网络钓鱼消息。 这样一来，其作案手法的好处是无需托管或支付自己的基础设施来开展恶意活动。 更重要的是，这使得威胁行为者的网络钓鱼消息能够绕过电子邮件保护，因为这些数字信件源自目标组织之前接收过电子邮件的已知实体。 “JavaGhost 获得了与身份和访问管理（IAM）用户相关的暴露的长期访问密钥，这使他们能够通过命令行界面（CLI）获得对 AWS 环境的初始访问权限，”凯利解释道。 “在 2022 年至 2024 年期间，该组织演变了他们的战术，采用了更高级的防御规避技术，试图在 CloudTrail 日志中隐藏身份。这种战术历史上曾被 Scattered Spider 利用。” 一旦确认获得对组织 AWS 账户的访问权限，攻击者就会生成临时凭证和登录 URL 以允许控制台访问。Unit 42 指出，这使他们能够隐藏自己的身份并查看 AWS 账户内的资源。 随后，该组织被观察到利用 SES 和 WorkMail 建立网络钓鱼基础设施，创建新的 SES 和 WorkMail 用户，并设置新的 SMTP 凭证以发送电子邮件消息。 “在攻击的时间范围内，JavaGhost 创建了各种 IAM 用户，其中一些他们在攻击期间使用，而另一些他们从未使用，”凯利说道。“未使用的 IAM 用户似乎充当长期持久性机制。” 威胁行为者作案手法的另一个显著特点是创建了一个带有信任策略的新 IAM 角色，从而允许他们从其控制的另一个 AWS 账户访问组织的 AWS 账户。 “该组织继续在攻击过程中留下相同的标记，通过创建名为 Java_Ghost 的新亚马逊弹性云计算（EC2）安全组，其组描述为‘我们存在但不可见’，”Unit 42 总结道。“这些安全组不包含任何安全规则，该组织通常不会尝试将这些安全组附加到任何资源。安全组的创建出现在 CloudTrail 日志的 CreateSecurityGroup 事件中。”   消息来源：The Hacker News；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

一图概览

一图概览

一图概览

一图概览

A vulnerability, which was classified as very critical, was found in Hitachi Vantara Pentaho Business Analytics Server. Affected is an unknown function of the component Spring Template Handler. The manipulation leads to injection. This vulnerability is traded as CVE-2022-43769. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Hitachi Vantara Pentaho Business Analytics Server. It has been declared as critical. This vulnerability affects unknown code. The manipulation leads to use of non-canonical url paths for authorization decisions. This vulnerability was named CVE-2022-43939. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Progress WhatsUp Gold up to 2023.1.2. It has been rated as very critical. This issue affects some unknown processing. The manipulation leads to path traversal. The identification of this vulnerability is CVE-2024-4885. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.12.0. It has been classified as critical. This affects an unknown part of the component uvcvideo. The manipulation leads to out-of-bounds write. This vulnerability is uniquely identified as CVE-2024-53104. The attack needs to be initiated within the local network. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

SpaceX 猎鹰 9 号着陆后因意外起火而倾覆；小米 SU7 Ultra 将于 3 月 5 日开启限时改配；字节跳动发布 AI 编程工具 Trae 国内版

分享几款全球主流勒索病毒解密源代码

A vulnerability was found in Apple macOS and classified as problematic. Affected by this issue is some unknown functionality of the component File Parser. The manipulation leads to denial of service. This vulnerability is handled as CVE-2025-24163. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple visionOS. It has been classified as problematic. This affects an unknown part of the component File Parser. The manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2025-24163. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.