Aggregator

HackerNews 编译，转载请注明出处： 网络安全公司FortiGuard事件响应团队（FGIR）在一份报告中披露，某伊朗国家支持的黑客组织对中东地区一家关键国家基础设施（CNI）实施了持续近两年的网络入侵。此次攻击活动从2023年5月持续至2025年2月，涉及“大规模间谍行动及疑似网络预置行为（一种用于维持长期访问以获取未来战略优势的战术）”。Fortinet指出，该攻击的技术特征与已知伊朗国家级威胁组织Lemon Sandstorm（原Rubidium，亦追踪为Parisite、Pioneer Kitten、UNC757）存在重叠。 该组织自2017年起活跃，攻击目标涵盖美国、中东、欧洲及澳大利亚的航空航天、石油天然气、水务和电力行业。工业网络安全公司Dragos分析称，该组织曾利用Fortinet、Pulse Secure和Palo Alto Networks的VPN已知漏洞获取初始访问权限。2023年，美国网络安全与情报机构指控Lemon Sandstorm对美国、以色列、阿塞拜疆和阿联酋的实体部署勒索软件。 此次针对CNI实体的攻击分为四个阶段，攻击者根据受害方的防御措施持续升级工具链： 2023年5月15日至2024年4月29日，攻击者利用窃取的登录凭证入侵受害者SSL VPN系统，在对外服务器部署Web Shell，并植入Havoc、HanifNet、HXLibrary三款后门程序维持长期访问； 2024年4月30日至2024年11月22日，攻击者追加部署Web Shell及新型后门NeoExpressRAT，使用plink、Ngrok等工具渗透内网，定向窃取受害者邮件数据并进行横向移动至虚拟化基础设施； 2024年11月23日至2024年12月13日，在受害者启动初步封堵措施后，攻击者部署更多Web Shell及后门MeshCentral Agent、SystemBC； 2024年12月14日至今，攻击者尝试利用Biotime漏洞（CVE-2023-38950、CVE-2023-38951、CVE-2023-38952）重新渗透网络，并对11名员工发起钓鱼攻击以窃取Microsoft 365凭证 值得注意的是，Havoc和MeshCentral都是开源工具，分别作为命令和控制（C2）框架和远程监控和管理（RMM）软件。另一方面，SystemBC指的是一种商品恶意软件，通常是勒索软件部署的前兆。 下面简要介绍了攻击中使用的其他自定义恶意软件家族和开源工具： Havoc：开源C2框架 MeshCentral：开源远程监控管理（RMM）软件 SystemBC：常用于勒索攻击前期的商品化恶意软件 HanifNet：未签名的.NET可执行文件，支持远程命令执行（2023年8月首次出现） HXLibrary：恶意IIS模块，通过Google Docs文档获取C2配置（2023年10月部署） CredInterceptor：基于DLL的凭证窃取工具，针对LSASS进程内存（2023年11月使用） RemoteInjector：载荷加载器，用于启动Havoc等后续攻击模块（2024年4月投入） NeoExpressRAT：疑似通过Discord通信的后门程序（2024年8月出现） DarkLoadLibrary：开源加载器，用于激活SystemBC（2024年12月部署） 攻击者使用的C2服务器（apps.gist.githubapp[.]net、gupdate[.]net）与Lemon Sandstorm历史活动存在关联。Fortinet指出，受害者受限的运营技术（OT）网络是主要攻击目标，攻击者通过链式代理工具和定制化植入程序绕过网络分段限制进行横向移动，后期甚至串联四种不同代理工具访问内部网段。尽管攻击者渗透了OT相邻系统所在的网络分区，但尚未发现其侵入OT网络的证据。 分析显示，大部分恶意活动为人工键盘操作（依据命令错误及规律工作时间判断），且攻击者可能早在2021年5月15日已获得网络访问权限。Fortinet强调：“攻击者在整个入侵过程中展现出极高的战术素养，通过定制化工具链维持持久性并规避检测，其操作纪律性暗示该组织可能具有国家背景或掌握充足资源。”       消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability has been found in Oracle Financial Services Compliance Regulatory Reporting 8.0.6/8.0.7/8.0.8 and classified as critical. This vulnerability affects unknown code of the component Web Service to Regulatory Report. The manipulation leads to server-side request forgery. This vulnerability was named CVE-2019-0227. The attack needs to be approached within the local network. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

HackerNews 编译，转载请注明出处： 印度卡纳塔克邦高等法院于2025年4月29日裁定，要求印度政府在全国范围内封禁加密邮件服务提供商Proton Mail。此裁决源于印度公司M Moser Design Associated India Pvt Ltd于2025年1月提起的一项法律诉讼。 根据法律媒体LiveLaw报道，该公司指控其员工收到通过Proton Mail发送的包含淫秽辱骂语言、AI生成的深度伪造图像及其他露骨色情内容的电子邮件。 在听证会上，法官M Nagaprasanna命令印度政府“根据《2008年信息技术法案》第69A条及《2009年信息封锁规则》第10条启动程序封禁Proton Mail”，并强调“在印度政府完成相关程序前，应立即封锁相关违规URL”。截至本文撰写时，Proton Mail在印度境内仍可正常访问。网络安全媒体The Hacker News已联系瑞士Proton公司寻求置评，尚未收到回复。 这是Proton Mail在印度第二次面临封禁威胁。去年初，因有报道称通过该平台发送虚假炸弹威胁，Proton公司曾声明“坚决反对任何违反瑞士法律使用其服务的行为”。根据瑞士法律，该公司虽不得向外国政府机构传输数据，但有义务配合瑞士当局的调查要求——瑞士执法部门可能会与境外机构合作打击非法活动。Proton补充说明：“尽管端到端加密技术为用户的邮件、文件、日历项和密码提供强隐私保护，但禁止利用该服务从事违反瑞士法律的行为。” 此次裁决再度引发关于加密通信服务监管的争议。支持者认为全面封禁侵犯用户隐私权，而执法部门则强调加密技术可能被滥用于非法活动。业界正密切关注Proton公司的后续回应及印度政府的执行措施。值得关注的是，Proton Mail作为全球知名隐私优先邮件服务，其运营基于瑞士严格的隐私法规，长期吸引重视数据安全的用户群体。       消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

看起来很简单，记录久了，力量就能浮现（可惜，大多数人还是做不到）。

看起来很简单，记录久了，力量就能浮现（可惜，大多数人还是做不到）。

A vulnerability, which was classified as critical, was found in uClibc and uClibc-ng up to 1.0.38. This affects the function gethostbyname/getaddrinfo/gethostbyaddr/getnameinfo of the component Domain Name Handler. The manipulation leads to injection. This vulnerability is uniquely identified as CVE-2021-43523. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Wuzhi CMS 4.1.0. Affected by this issue is some unknown functionality of the component System Bulletin. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2020-19770. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in libexpat up to 2.4.2. Affected by this issue is the function storeAtts of the file xmlparse.c. The manipulation leads to memory corruption. This vulnerability is handled as CVE-2021-45960. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in BusyBox up to 1.33.2. It has been declared as problematic. This vulnerability affects unknown code of the component unlzma Applet. The manipulation leads to out-of-bounds read. This vulnerability was named CVE-2021-42374. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in libexpat up to 2.4.2. Affected is the function doProlog of the file xmlparse.c. The manipulation of the argument m_groupSize leads to integer overflow. This vulnerability is traded as CVE-2021-46143. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in libexpat up to 2.4.2. It has been declared as critical. This vulnerability affects the function addBinding of the file xmlparse.c. The manipulation leads to integer overflow. This vulnerability was named CVE-2022-22822. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in libexpat up to 2.4.2. It has been rated as critical. This issue affects the function build_model of the file xmlparse.c. The manipulation leads to integer overflow. The identification of this vulnerability is CVE-2022-22823. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in libexpat up to 2.4.2. Affected is the function defineAttribute of the file xmlparse.c. The manipulation leads to integer overflow. This vulnerability is traded as CVE-2022-22824. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in libexpat up to 2.4.2. Affected by this vulnerability is the function lookup of the file xmlparse.c. The manipulation leads to integer overflow. This vulnerability is known as CVE-2022-22825. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in libexpat up to 2.4.2. Affected by this issue is the function nextScaffoldPart of the file xmlparse.c. The manipulation leads to integer overflow. This vulnerability is handled as CVE-2022-22826. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in libexpat up to 2.4.2. This affects the function storeAtts of the file xmlparse.c. The manipulation leads to integer overflow. This vulnerability is uniquely identified as CVE-2022-22827. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

新闻速览 •国家密码管理局调整商用密码检测认证业务实施 •ISACA警报：95%组织缺乏量子计算威胁防御策略 […]

在数字威胁日益复杂的时代，全球网络安全领域的风向标再次指向旧金山。RSAC 2025全球网络安全大会于4月28 […]