Aggregator

In just 12 months, attackers attempted to steal more than $300 million via vendor email compromise (VEC), with 7% of engagements coming from employees who had engaged with a previous attack, according to Abnormal AI. Vendor email compromise risks increase with organization size Employees struggle to differentiate between legitimate messages and attacks, especially when those emails appear to come from a trusted vendor. Employees in the largest organizations, with workforces of 50,000 or more, had … More →

The post Employees repeatedly fall for vendor email compromise attacks appeared first on Help Net Security.

Join us as we discuss the long-awaited implementation of the REAL ID Act in the U.S. We cover the essentials you need to fly, the potential benefits of using your passport, and how new mobile IDs fit into the TSA’s plans. We also discuss the broader implications for identity surveillance and who truly benefits from […]

The post Do You Really Need a REAL ID to Fly in the US? Breaking Down the Myths appeared first on Shared Security Podcast.

The post Do You Really Need a REAL ID to Fly in the US? Breaking Down the Myths appeared first on Security Boulevard.

一种新发现的基于Go的Linux僵尸网络恶意软件名为PumaBot，它通过暴力破解嵌入式物联网设备上的SSH凭证来部署恶意负载。

PumaBot 的针对性也体现在它根据从命令和控制 (C2) 服务器获取的列表针对特定的 IP 地址，而不是对互联网进行广泛的扫描。

瞄准监控摄像头

Darktrace在一份报告中记录了PumaBot，该报告概述了僵尸网络的攻击流程、入侵指标（IoCs）和检测规则。恶意软件从其C2 （ssh.ddos-cc.org）接收目标ip列表，并试图在端口22上执行暴力登录尝试以开放SSH访问。在这个过程中，它会检查“Pumatronix”字符串的存在，这可能与供应商的监控和交通摄像头系统的目标相对应。

一旦目标被建立，恶意软件就会接收凭证来针对它们进行测试。如果成功，它运行‘uname -a’来获取环境信息并验证目标设备不是蜜罐。

接下来，它将它的主二进制文件（jierui）写入/lib/redis，并安装一个systemd服务（redis.service），以确保设备重启时的持久性。

最后，它将自己的SSH注入到“authorized_keys”文件中以保持访问，即使在清除了主要感染的情况下也是如此。

当感染处于活跃状态时，PumaBot可以接收命令，试图窃取数据，引入新的有效载荷，或窃取横向移动中有用的数据。

Darktrace看到的有效负载示例包括自我更新脚本、PAM rootkit（替换合法的“pam_unix”）。所以'和daemons（二进制文件“1”）。

恶意PAM模块获取本地和远程SSH登录详细信息，并将其存储在一个文本文件（con.txt）中。“监视者”二进制文件(1)不断查找该文本文件，然后将其泄露到C2。

在文本文件上写入凭据

在泄漏之后，文本文件将从受感染的主机上擦除，以删除恶意活动的任何痕迹。PumaBot的规模和成功概率目前尚不清楚，也没有资料提到目标IP列表有多广泛。

这种新型僵尸网络恶意软件的特别之处在于，它不是直接利用受感染的物联网进行分布式拒绝服务（DoS）攻击或代理网络等低级网络犯罪，而是发起有针对性的攻击，从而为企业网络的深入渗透开辟了道路。

为了防御僵尸网络威胁，建议将物联网升级到最新可用的固件版本，更改默认凭据，将它们置于防火墙之后，并将它们与有价值的系统隔离在单独的网络中。

Overview Recently, NSFOCUS CERT has detected that DataEase has issued a security bulletin to fix multiple high-risk vulnerabilities in DataEase (CVE-2025-49001/CVE-2025-49002/CVE-2025-48999). Combined use can achieve unauthorized code execution. At present, the vulnerability details and PoC have been made public. Relevant users are requested to take measures to protect them as soon as possible. CVE-2025-49001: Due […]

The post Multiple High-Risk Vulnerabilities in DataEase (CVE-2025-49001/CVE-2025-49002/CVE-2025-48999) appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Multiple High-Risk Vulnerabilities in DataEase (CVE-2025-49001/CVE-2025-49002/CVE-2025-48999) appeared first on Security Boulevard.