Aggregator

ResolverRAT是一个完全在内存中运行的隐形威胁，同时它还滥用 net ‘ resourcerresolve ’事件来加载恶意程序集，而不执行可能被标记为可疑的API调用。

HackerNews 编译，转载请注明出处： 安全研究人员发现一个公开可访问的服务器，内含超过1.58亿条AWS密钥记录。其中大部分密钥是跨不同区域端点和配置复制的重复条目。 然而进一步调查发现，攻击者通过爬取和其他方式收集AWS密钥，对存储桶进行加密并索要赎金的恶意活动。研究人员将密钥列表精简至1,229组独特的AWS密钥对，每组包含访问密钥ID及对应的秘密访问密钥。许多密钥对已被轮换，但仍在生效的有效密钥对已导致含有勒索信的S3存储桶被加密。 某未知威胁行为体正滥用AWS原生服务端加密功能以隐藏行踪。网络安全研究员、SecurityDiscovery.com所有者Bob Diachenko表示：“这是罕见且可能前所未有的协同勒索攻击案例——攻击者利用泄露的AWS凭证，在存储桶所有者未察觉或未操作的情况下，通过客户提供密钥的服务器端加密（SSE-C）对S3存储桶数据进行加密。” 关键要点： 1、发现超过1.58亿条泄露的AWS密钥记录，指向1,229组独特凭证。有效AWS密钥允许攻击者列出S3存储桶并检索勒索要求。 2、勒索信显示文件是使用客户提供密钥的服务器端加密（SSE-C）加密的。 3、勒索金额为每名受害者0.3枚比特币（约合2.5万美元）。 部分受害者仍不知情。 此次恶意活动无明确归属且高度自动化。攻击者在名为warning.txt的文件中留下勒索信。每个被加密的S3存储桶似乎都有独立的警告信息及唯一的比特币（BTC）地址。黑客留下联系邮箱awsdecrypt[@]techie.com。 攻击者正在利用AWS对抗其客户——他们滥用客户提供密钥的AWS服务器端加密（SSE-C）来加密S3存储桶数据。Halcyon RISE团队此前已详细说明过该技术。这意味着攻击者生成自己的加密密钥（AES-256），用于锁定数据，使得没有密钥就无法恢复。 这种攻击模式允许”静默入侵”，漏洞发生时不会向受害者发出警报或报告，也没有文件删除日志。威胁行为体保持存储桶结构完整。此外，攻击者似乎甚至懒得窃取数据实施双重勒索。 此前观察到攻击者设置S3生命周期策略在7天内删除加密数据，进一步逼迫受害者付款。令人担忧的是，多个案例中受影响的AWS环境仍在运行，表明受害者可能仍未意识到漏洞存在。 “部分受害者可能尚未察觉其存储桶已被加密，尤其是当受影响文件访问频率较低，或存储桶用于备份时。某些暴露的备份是空的且可能是新创建的，这使未来项目面临风险。”Diachenko表示。 研究人员还指出，攻击者在多个案例中警告受害者不要更改凭证，并通过允许测试文件恢复来提供’解密证明’。”此事件标志着云勒索策略的重大升级。其简单性使其特别危险：攻击者仅需窃取密钥——无需复杂漏洞利用。”Diachenko补充道。 他们警告称，对采用AWS原生强加密锁定的数据进行暴力破解或其他方式解密实际上是不可能的。 黑客如何收集AWS密钥？ 威胁行为体收集海量AWS密钥的确切方法尚未证实。但Cybernews研究人员提出几种最可能的假设： 1、公共代码库泄露的AWS密钥：密钥凭证常被误提交至GitHub、Bitbucket等平台。攻击者随后使用TruffleHog、Gitleaks等工具爬取这些代码库获取密钥。 2、不安全的CI/CD（持续集成/持续部署）工具：Jenkins或GitLab Runner常存储AWS密钥。这些密钥可能因配置错误部署或弱凭证而暴露。 3、Web应用中配置错误的.env和config.php或JSON配置文件：这些文件本应保密，但因配置错误可能导致凭证泄露。 4、泄露与入侵事件：被入侵的开发工具、云控制面板或密码管理器可能成为来源。黑客可从非法市场收集凭证。 5、陈旧/被遗忘的IAM用户：许多云环境中普遍存在极少轮换且长期有效的非活跃IAM用户凭证，这些是静默攻击的主要目标。 攻击者还可通过其他多种方式提取凭证。此前Cybernews研究发现，iOS应用平均包含5个硬编码密钥，可能导致泄露与数据泄露。 如何保护云存储桶？ AWS凭证本应保密。Cybernews研究人员建议通过以下方法强化AWS环境： 1、立即审计所有IAM凭证。停用未使用的密钥并轮换有效密钥。 2、实施AWS Config和GuardDuty服务以检测可疑访问模式。 3、使用自动化工具扫描公共代码库是否泄露密钥。 4、强制使用短期临时令牌，并从应用中移除硬编码凭证。 5、对所有IAM角色应用最小权限原则。 6、监控存储桶中warning.txt等未知新文件。 7、配置策略限制SSE-C使用，并启用详细日志记录以检测异常活动。 Cybernews已将暴露实例通报AWS。我们也联系对方寻求更多评论，收到回复后将予以补充。 AWS鼓励所有客户遵循安全、身份与合规最佳实践。若客户怀疑遭受入侵，可先参考本文列出的步骤或联系AWS支持团队。       消息来源：cybernews；  本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

Canonical 释出了代号为 Plucky Puffin 的 Ubuntu 25.04。这是一个短期支持版本，只支持到 2026 年 1 月。主要新变化包括：Linux 6.14、GNOME 48、APT 3.0，提供了在 Arm64 系统上安装 Ubuntu 桌面的 ISO 镜像等。其他变化包括：systemd v257.4、Netplan v1.1.2，默认 OpenJDK 21 可选 OpenJDK 24，支持 .NET v8 和 9，Firefox 7 137，LibreOffice 25.2，Thunderbird 128 “Supernova”，GNU Image Manipulation Program 3.0 等，更多可浏览发布公告。

Сбой в системе обновлений заставляет тысячи устройств начать переход на новую ОС без разрешения админов.

各位 Buffer 周末好，以下是本周「FreeBuf周报」，我们总结推荐了本周的热点资讯、一周好文，保证大家不错过本周的每一个重点！

A vulnerability, which was classified as critical, was found in Huawei HarmonyOS. Affected is an unknown function of the component Application Management. The manipulation leads to permission issues. This vulnerability is traded as CVE-2022-46312. The attack needs to be approached within the local network. There is no exploit available.

A vulnerability was found in BSK Forms Blacklist Plugin up to 3.6.3 on WordPress. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2023-5980. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Totolink EX1800T 9.1.0cu.2112_B20220316. Affected is the function setWiFiApConfig of the file cstecgi.cgi. The manipulation of the argument opmode leads to privilege escalation. This vulnerability is traded as CVE-2023-51018. The attack can only be initiated within the local network. There is no exploit available.

A vulnerability classified as problematic was found in Dromara hutool-core 5.8.23. Affected by this vulnerability is the function StrSplitter.splitByRegex. The manipulation leads to infinite loop. This vulnerability is known as CVE-2023-51075. The attack can only be done within the local network. There is no exploit available.

A vulnerability classified as critical was found in JIZHICMS 2.5. Affected by this vulnerability is an unknown functionality of the file app/admin/exts/. The manipulation of the argument download_url leads to unrestricted upload. This vulnerability is known as CVE-2023-50692. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in TP-Link Tapo 1.0.0/1.1.22 Build 220725/1.3.0 and classified as problematic. This issue affects some unknown processing. The manipulation leads to improper access controls. The identification of this vulnerability is CVE-2023-34829. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Sesami Cash Point & Transport Optimizer 6.3.8.6 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Password Reset Handler. The manipulation leads to cleartext transmission of sensitive information. This vulnerability is known as CVE-2023-31300. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Sesami Cash Point & Transport Optimizer 6.3.8.6. Affected by this issue is some unknown functionality of the component Back Button Refresh Handler. The manipulation leads to information disclosure. This vulnerability is handled as CVE-2023-31292. Local access is required to approach this attack. There is no exploit available.

A vulnerability was found in Honor Magic UI 6.0.0.217 and classified as problematic. This issue affects some unknown processing. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2023-51435. Attacking locally is a requirement. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in Honor Magic OS 7.0.0.129. This affects an unknown part. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2023-23443. Local access is required to approach this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Scontain SCONE up to 5.7.x. It has been declared as problematic. This vulnerability affects the function __scone_entry of the component Floating Point Handler. The manipulation leads to observable behavioral discrepancy. This vulnerability was named CVE-2022-46487. The attack needs to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Totolink X6000R 9.4.0cu.852_B20230719. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi. The manipulation leads to os command injection. The identification of this vulnerability is CVE-2023-50651. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in Sympa up to 6.2.61 and classified as problematic. This vulnerability affects unknown code. The manipulation of the argument cookie leads to protection mechanism failure. This vulnerability was named CVE-2021-46900. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in MediaTek MT2735, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6877T, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895T, MT6896, MT6897, MT6980, MT6980D, MT6983T, MT6983W, MT6983Z, MT6985, MT6985T, MT6989 and MT6990. This affects an unknown part of the component Modem IMS Stack. The manipulation leads to out-of-bounds write. This vulnerability is uniquely identified as CVE-2023-32874. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in MediaTek MT6761, MT6765, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8168, MT8188, MT8195, MT8766, MT8768, MT8781, MT8789, MT8791T and MT8798. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Display DRM. The manipulation leads to memory corruption. This vulnerability is known as CVE-2023-32885. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to apply a patch to fix this issue.