Aggregator

HackerNews 编译，转载请注明出处： 自2025年3月起，针对俄罗斯组织的定向钓鱼攻击使用虚假合同主题电子邮件传播Batavia间谍软件，这是一种旨在窃取内部文件的新型恶意软件。该攻击自2024年7月以来持续进行，始于伪装成合同或附件的恶意.vbe文件链接。该恶意软件包含一个VBA脚本和两个可执行文件，卡巴斯基已将其检测为Trojan.Batavia变种。 卡巴斯基发布的报告指出：“自2025年3月初以来，我们的系统记录到俄罗斯各机构员工检测到的类似文件（例如договор-2025-5.vbe、приложение.vbe和dogovor.vbe，中文译注：合同、附件）数量有所增加。定向攻击始于以签订合同为借口发送包含恶意链接的诱饵邮件。” 点击钓鱼邮件中的链接会下载VBE脚本，该脚本收集系统信息并从攻击者的域名检索恶意软件文件(WebView.exe)。该脚本检查操作系统版本以决定如何执行有效载荷，并将数据发送到命令与控制(C2)服务器。攻击使用针对每封电子邮件定制的参数来管理感染阶段并规避检测。 在攻击链的第二阶段，WebView.exe恶意软件（用Delphi编写）下载并显示虚假合同，然后开始监视受感染的系统。它收集系统日志、办公文档，并定期截取屏幕截图发送到新的C2服务器。为避免重复上传，它会对每个文件进行哈希处理。同时下载新的恶意软件阶段(javav.exe)并设置启动快捷方式，以便在系统重启时继续感染过程。 在攻击链的最后阶段，恶意软件javav.exe（用C++编写）扩展攻击范围，针对更多文件类型（如图像、电子邮件、演示文稿、存档），使用更新的感染ID(2hc1-…)将其传输到C2服务器。它现在可以更改C2地址，并通过computerdefaults.exe实现UAC绕过来下载/执行新有效载荷(windowsmsg.exe)。与C2的通信采用加密传输，并通过文件哈希避免重复上传。据卡巴斯基称，此阶段引入灵活性和持久性以促进进一步恶意活动。 研究人员注意到Batavia间谍软件活动的受害者是俄罗斯工业企业。卡巴斯基遥测数据显示，数十家机构的超过100名用户收到了钓鱼邮件。 报告总结道：“值得注意的是，此次攻击的初始感染媒介是诱饵邮件。这凸显了常态化员工培训和提高企业网络安全实践意识的重要性。”        消息来源： securityaffairs； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

Security researchers have uncovered critical vulnerabilities in SMBClient for macOS that affect both user space and the operating system kernel. These flaws potentially allow for remote execution of arbitrary code and the termination of...

The post Critical macOS SMBClient Flaws Allow Remote Code Execution & Kernel Crashes appeared first on Penetration Testing Tools.

In recent months, cybersecurity experts have observed a dramatic surge in the malicious exploitation of domains within the .es top-level domain (TLD). Over the past six months alone, the number of such incidents has...

The post Spain’s .es Domain Surges 19x in Cybercrime Use: Now Third Most Popular for Phishing & RATs appeared first on Penetration Testing Tools.

RCE漏洞3万起！

文章解释了“521错误代码”表示Web服务器返回了无效响应的问题，通常由服务器配置错误、网络问题或过载引起。建议检查服务器配置、联系主机提供商或优化服务器性能以解决问题。

HackerNews 编译，转载请注明出处： 自称“Rey”的黑客宣称从西班牙电信巨头Telefónica窃取106GB数据，但该公司回应称这仅是敲诈企图。 在埃隆·马斯克旗下社交平台X的声明中，Rey指出Telefónica否认其内部网络遭数据窃取，因此将先行公开5GB数据作为证据。黑客威胁称：“我将很快公布完整文件目录树；若未来数周内Telefónica仍不妥协，全部数据档案将被公开 。” 据技术媒体BleepingComputer核实，Rey已发布超2万份文件佐证入侵真实性。黑客透露攻击发生于2025年5月30日，在Telefónica IT人员察觉前已持续窃密12小时。据称窃取总量达385,311份文件（106.3GB），涵盖五类核心数据： 内部通信记录（服务工单与邮件） 采购订单及商业伙伴发票 系统操作日志 客户档案 员工信息 Telefónica官方至今未承认事件，但有员工指称这是利用过时信息的敲诈行为。值得关注的是，Rey隶属勒索组织HellCat，该组织2025年1月就曾通过Jira开发服务器入侵Telefónica窃取客户信息。不同于传统勒索模式，HellCat采用“不认账即全泄露”的胁迫策略，此次事件再次印证其战术特征。 Telefónica作为全球顶级电信运营商，拥有逾10万员工，2024年营收达405亿美元（约合人民币2920亿元），毛利近205亿美元（约合人民币1476亿元）。       消息来源： cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

Experts at Wiz have identified a new wave of attacks targeting TeamCity servers—a widely used platform for orchestrating CI/CD workflows. Threat actors exploited a misconfigured Java Debug Wire Protocol (JDWP) interface, enabling remote command...

The post Exposed JDWP Debug Ports Under Attack: Cryptominers Infiltrating Java Apps in Hours appeared first on Penetration Testing Tools.

A vulnerability was found in rjrodger rjrodger jsonic-next 2.12.1. It has been declared as problematic. This vulnerability affects the function util.clone. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). This vulnerability was named CVE-2024-39002. Access to the local network is required for this attack to succeed. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in amoyjs amoy common 1.0.10. Affected by this issue is the function setValue. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). This vulnerability is handled as CVE-2024-39003. The attack needs to be done within the local network. There is no exploit available.

A vulnerability classified as critical was found in Online Clinic Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /success/editp.php?action=edit. The manipulation of the argument ID leads to sql injection. This vulnerability is known as CVE-2024-48597. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Mitel MiCollab up to 9.8.0.33. Affected is an unknown function of the component NuPoint Messenger. The manipulation leads to sql injection. This vulnerability is traded as CVE-2024-35286. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability has been found in Mitel MiCollab up to 9.8.1.5 and classified as critical. Affected by this vulnerability is an unknown functionality of the component NuPoint Messenger. The manipulation leads to execution with unnecessary privileges. This vulnerability is known as CVE-2024-35287. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in Mitel MiCollab up to 9.8.1.201. It has been declared as critical. This vulnerability affects unknown code of the component Conferencing Component. The manipulation leads to improper access controls. This vulnerability was named CVE-2024-47912. The attack can be initiated remotely. There is no exploit available.

A vulnerability has been found in Vilo Mesh WiFi System up to 5.16.1.33 and classified as critical. This vulnerability affects unknown code of the component TCP Service Port 5432. The manipulation leads to missing authentication. This vulnerability was named CVE-2024-40087. The attack can be initiated remotely. There is no exploit available. It is recommended to apply restrictive firewalling.

A vulnerability was found in Vilo Mesh WiFi System up to 5.16.1.33. It has been classified as critical. Affected is an unknown function of the component Boa Webserver. The manipulation leads to buffer overflow. This vulnerability is traded as CVE-2024-40084. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in Mitel MiCollab up to 9.8.1.201. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component AWV. The manipulation leads to sql injection. This vulnerability is known as CVE-2024-47223. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as critical was found in Vilo Mesh WiFi System up to 5.16.1.33. This vulnerability affects unknown code of the component Boa Webserver. The manipulation leads to path traversal. This vulnerability was named CVE-2024-40088. The attack can be initiated remotely. There is no exploit available.

A vulnerability has been found in parisneo lollms-webui up to 9.8 and classified as problematic. This vulnerability affects the function lollms_binding_infos. The manipulation of the argument client_id leads to cross-site request forgery. This vulnerability was named CVE-2024-6040. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in Microsoft Windows. It has been classified as critical. This affects an unknown part of the component Clipboard Virtual Channel Extension. The manipulation leads to sensitive data storage in improperly locked memory. This vulnerability is uniquely identified as CVE-2024-38131. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Mitel MiCollab up to 9.8.0.33. It has been rated as critical. This issue affects some unknown processing of the component NuPoint Messenger. The manipulation leads to command injection. The identification of this vulnerability is CVE-2024-35285. The attack may be initiated remotely. There is no exploit available.