Aggregator

A vulnerability was found in GLPI up to 0.83.31. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation of the argument table leads to sql injection. This vulnerability is handled as CVE-2013-2226. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as very critical was found in Red Hat Linux 4.2/5.0/5.1/5.2/6.0. This vulnerability affects unknown code of the component Automounter Daemon. The manipulation leads to memory corruption. This vulnerability was named CVE-1999-0704. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

HackerNews 编译，转载请注明出处： 网络安全研究人员发现，恶意行为者在各种恶意垃圾邮件活动中继续通过伪造发件人电子邮件地址取得成功。 伪造电子邮件的发件人地址通常被视为一种让数字信息看起来更合法并绕过可能将其标记为恶意的安全机制的手段。 尽管有域名密钥识别邮件（DKIM）、基于域名的邮件身份验证、报告和一致性（DMARC）以及发件人策略框架（SPF）等保障措施可以防止垃圾邮件发送者伪造知名域名，但这些措施反而促使他们利用老旧、被忽视的域名进行活动。 这样做的话，电子邮件信息很可能会绕过依赖域名年龄来识别垃圾邮件的安全检查。 一家DNS威胁情报公司在与《黑客新闻》分享的一项新分析中发现，包括Muddling Meerkat在内的威胁行为者滥用了一些自身拥有的、已近20年未用于托管内容的老旧顶级域名（TLD）。 “这些域名缺少大多数DNS记录，包括通常用于检查发件人域名真实性的记录，如SPF记录，”该公司表示，“这些域名简短且属于高声誉的顶级域名。”自2022年12月以来一直活跃的一项此类活动涉及分发带有指向钓鱼网站的二维码附件的电子邮件，并指示收件人打开附件并使用手机上的支付宝或微信应用扫描二维码。 这些电子邮件使用中文撰写的与税收相关的诱饵，同时以不同方式将二维码文档隐藏在电子邮件正文中包含的四位数字密码之后。在其中一个案例中，钓鱼网站要求用户输入其身份和银行卡信息，然后向攻击者进行欺诈付款。 “尽管这些活动确实使用了我们在Muddling Meerkat中看到的废弃域名，但它们似乎还广泛伪造随机域名，甚至包括不存在的域名，”Infoblox解释道，“行为者可能会使用这种技术来避免发送来自同一发件人的重复电子邮件。” 该公司表示，它还观察到了冒充亚马逊、万事达卡和SMBC等知名品牌，利用流量分发系统（TDSes）将受害者重定向到假冒登录页面以窃取其凭据的钓鱼活动。以下是一些已确定使用伪造发件人域名的电子邮件地址： mailto:[email protected][.]org mailto:[email protected][.]com mailto:[email protected][.]com mailto:[email protected][.]com mailto:[email protected][.]com mailto:[email protected][.]net mailto:[email protected][.]com 第三类垃圾邮件与勒索有关，其中电子邮件收件人被要求支付1800美元的比特币以删除据称安装在其系统上的远程访问木马所录制的令人尴尬的视频。 “行为者伪造用户自己的电子邮件地址，并挑战他们进行检查，”Infoblox表示，电子邮件告诉用户他们的设备已被入侵，作为证明，行为者声称该邮件是从用户自己的帐户发送的。” 这一披露正值法律、政府和建筑部门自2024年9月初以来成为旨在窃取Microsoft 365凭据的新型钓鱼活动“肉铺”的目标。 据Obsidian Security称，这些攻击滥用Canva、Dropbox DocSend和Google Accelerated Mobile Pages（AMP）等受信任平台将用户重定向到恶意网站。其他一些渠道包括电子邮件和被入侵的WordPress网站。 “在显示钓鱼页面之前，会显示一个带有Cloudflare Turnstile的自定义页面，以验证用户实际上是人类，”该公司表示，“这些旋转门使得电子邮件保护系统（如URL扫描器）更难检测到钓鱼网站。” 近几个月来，短信钓鱼活动冒充阿联酋执法机构发送虚假的付款请求，涉及不存在的交通违规、停车违规和执照续期。为此目的而设立的一些虚假网站被归因于一个名为Smishing Triad的已知威胁行为者。 中东的银行业客户也成为了一种复杂的社交工程计划的攻击目标，该计划在电话中冒充政府官员，并使用远程访问软件窃取信用卡信息和一次性密码（OTP）。 Group-IB在今天发布的一项分析中表示，这场针对个人数据已在暗网上通过窃取器恶意软件泄露的女性消费者的活动，据推测是未知母语为阿拉伯语的人所为。 “骗子利用受害者的合作意愿和服从指令的意愿，希望为他们不满意的购买获得退款。” Cofense发现的另一场活动涉及发送声称来自美国社会保障管理局的电子邮件，其中嵌入了下载ConnectWise远程访问软件安装程序的链接或将受害者定向到凭据收集页面。 这一发展发生在根据Interisle Consulting Group的一份报告，在2023年9月至2024年8月期间报告的网络犯罪域名中，通用顶级域名（gTLD）如.top、.xyz、.shop、.vip和.club占37%，尽管它们仅占域名市场总量的11%。 由于价格低廉且缺乏注册要求，这些域名已成为恶意行为者的诱人目标，从而为滥用打开了大门。在广泛用于网络犯罪的顶级域名中，有22个提供的注册费用低于2.00美元。 威胁行为者还被发现宣传一个名为PhishWP的恶意WordPress插件，该插件可用于创建可自定义的支付页面，模仿Stripe等合法支付处理器，通过Telegram窃取个人和财务数据。 SlashNext在一份新报告中表示：“攻击者既可以入侵合法的WordPress网站，也可以设置欺诈网站来安装它。在配置插件以模仿支付网关后，不明真相的用户会被诱骗输入其支付详情。插件会收集这些信息并将其直接发送给攻击者，通常是在实时状态下。”   消息来源：The Hacker News, 编译：zhongx；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

error code: 521

A vulnerability was found in Foxit WAC Server 2.0 and classified as very critical. This issue affects some unknown processing. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2008-7031. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical was found in Apple tvOS up to 11.4.1. This vulnerability affects unknown code. The manipulation leads to use after free. This vulnerability was named CVE-2018-4306. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

“AI Agent可能是下一个机器人行业，蕴含着价值数万亿美元的机会。”在刚刚结束的CES 202 […]

黄仁勋眼中的万亿美元机会，AI Agent也是网络安全的下一个关注点 日期：2025年01月09日 阅：73

新闻速览 •CISA发布自愿网络安全绩效目标，提升软件安全性 •Telegram交出数千个用户数据，隐私政策转 […]

Telegram交出数千个用户数据，隐私政策转变引发关注；美国启动网络信任标识计划，提升设备安全性 | 牛览 日期：2025年01月09日

你可能错过的新鲜事Apple 公布新春贺岁片预告1 月 8 日，Apple 公司公布了 2025 年的新春贺岁片的预热短片及海报。影片主题为《想和你一起听听歌》，由歌舞片导演迈克尔·格雷西执导，讲

A vulnerability, which was classified as problematic, has been found in wpdevteam Essential Addons for Elementor Plugin up to 5.9.9 on WordPress. This issue affects some unknown processing of the component Event Calendar Widget. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-1536. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in wpdevteam Essential Addons for Elementor Plugin up to 5.9.9 on WordPress and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Data Table Widget. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-1537. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as problematic was found in Zitadel up to 2.47.3. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-28855. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in OctoPrint up to 1.9.3/1.10.0rc2 and classified as problematic. This issue affects some unknown processing of the component URL Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-28237. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Microsoft Xbox Gaming Services and classified as critical. This issue affects some unknown processing. The manipulation leads to link following. The identification of this vulnerability is CVE-2024-28916. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Zitadel up to 2.48.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Login UI. The manipulation leads to incorrect authorization. This vulnerability is known as CVE-2024-29892. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

Meta 取消第三方事实核查当地时间 1 月 7 日，美国社交媒体平台 Facebook 和 Instagram 的母公司 Meta 宣布，将终止其第三方事实核查计划。这一转变正值 Meta CEO

曝谷歌正招兵买马组建世界模型团队；陈震开 FSD 撞护栏，评价不如小鹏和华为；黄仁勋称量子计算机可能需要 20 年实现。

A vulnerability, which was classified as problematic, has been found in Symantec Mail Security for Microsoft Exchange up to 6.5.8/7.0.4/7.5.4. This issue affects some unknown processing of the component RAR Decompression. The manipulation leads to memory corruption. The identification of this vulnerability is CVE-2016-5310. Attacking locally is a requirement. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.