Aggregator

本文来源于团队的超辉老师，分享Azure安全横向移动内容。

HackerNews 编译，转载请注明出处： 一场精心策划的网络钓鱼活动正在悄然改变其攻击目标，从 Windows 系统转向 macOS，引发了网络安全领域的高度关注。据以色列网络安全公司 LayerX 的最新报告，这场以窃取用户登录凭证为目的的恐吓软件攻击活动，近期调整了攻击策略，将矛头指向了 macOS 用户。 在 2024 年及 2025 年初，该攻击活动主要针对 Windows 用户，通过入侵合法网站并植入恶意代码，制造虚假的微软安全警报。这些警报声称用户的计算机已被入侵并锁定，随后网页会被恶意代码冻结，制造出系统故障的假象。受害者在恐慌中被诱导输入 Windows 用户名和密码，攻击者借此获取敏感信息。 为了增加攻击的可信度，攻击者将钓鱼页面托管在微软旗下的合法 Azure 应用托管平台 Windows.net 上。由于该平台的高信誉度，攻击者成功绕过了许多基于顶级域名（TLD）声誉检查的反钓鱼防御机制。LayerX 指出：“Windows.net 是一个知名且被广泛使用的平台，由信誉良好的微软公司运营。因此，这些钓鱼页面能够轻易绕过传统的安全防护机制。” 此外，攻击者还利用随机化、快速变形的子域名来托管恶意代码，并精心设计钓鱼页面，使其看起来极为专业。他们甚至加入了反机器人和验证码验证机制，以延缓自动化检测系统的识别。 然而，随着 Chrome、Firefox 和 Microsoft Edge 浏览器近期新增了反恐吓软件功能，针对 Windows 系统的攻击成功率大幅下降，攻击活动减少了 90%。这迫使攻击者将注意力转向 macOS 用户，因为 macOS 系统并未受到这些新防御机制的保护。 LayerX 表示，在针对 Windows 的攻击活动进行期间，并未观察到对 macOS 的攻击。但在新的反钓鱼防御措施推出后的两周内，针对 macOS 用户的攻击便迅速展开。这些钓鱼页面与之前用于攻击 Windows 的页面几乎完全相同，但布局和信息已被调整以适应 macOS 用户，恶意代码也经过修改以针对 Safari 浏览器。 据 LayerX 报告，攻击者利用用户错误输入合法网站 URL 的机会，将其引导至被入侵的域名“托管”页面，随后通过多个域名重定向，最终将用户带到钓鱼页面。在一个具体案例中，一名 LayerX 企业客户的 macOS 和 Safari 用户成为攻击目标。尽管该组织部署了安全网络网关（SWG），但攻击仍然成功绕过了这一防护措施。 LayerX 认为，攻击者可能会在将 macOS 上的 Safari 用户作为主要攻击目标后，对现有基础设施进行最小限度的修改，以进一步调整其攻击策略。LayerX 产品营销主管 Eyal Arazi 强调：“个人非企业账户被入侵通常仅限于暴露该个人用户的信息，而企业账户被入侵可能导致组织层面的数据泄露，使威胁变得更加严重。” 这场从 Windows 到 macOS 的攻击向量转变表明，攻击者正在不断调整和优化其攻击策略，以寻找新的漏洞和目标。这场攻击活动不仅高度专业、持续性强，还具有很强的适应性，对企业用户构成了重大威胁。随着攻击手段的不断演变，企业和个人用户必须保持警惕，及时更新安全防护措施，以应对日益复杂和隐蔽的网络攻击。 消息来源：SecurityWeek； 本文由 HackerNews.cc 翻译整理，封面来源于网络；  转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in D-Link DIR-618 and DIR-605L 2.02/3.02. It has been classified as problematic. This affects an unknown part of the file /goform/formSetPortTr. The manipulation leads to improper access controls. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is uniquely identified as CVE-2025-2551. Access to the local network is required for this attack. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability was found in D-Link DIR-618 and DIR-605L 2.02/3.02. It has been declared as problematic. This vulnerability affects unknown code of the file /goform/formTcpipSetup. The manipulation leads to improper access controls. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability was named CVE-2025-2552. Access to the local network is required for this attack to succeed. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability was found in D-Link DIR-618 and DIR-605L 2.02/3.02. It has been rated as problematic. This issue affects some unknown processing of the file /goform/formVirtualServ. The manipulation leads to improper access controls. This vulnerability only affects products that are no longer supported by the maintainer. The identification of this vulnerability is CVE-2025-2553. The attack needs to be approached within the local network. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability classified as problematic has been found in Audi Universal Traffic Recorder App 2.0. Affected is an unknown function of the component FTP Credentials. The manipulation leads to use of hard-coded password. This vulnerability is traded as CVE-2025-2555. Attacking locally is a requirement. Furthermore, there is an exploit available. It is recommended to upgrade the affected component. The vendor was contacted early about these issues and acted very professional. Version 2.89 is fixing this issue for new customers and 2.90 is going to fix it for existing customers.

A vulnerability classified as problematic was found in Audi UTR Dashcam 2.0. Affected by this vulnerability is an unknown functionality of the component Video Stream Handler. The manipulation leads to hard-coded credentials. This vulnerability is known as CVE-2025-2556. The attack can only be initiated within the local network. Furthermore, there is an exploit available. It is recommended to upgrade the affected component. The vendor was contacted early about these issues and acted very professional. Version 2.89 is fixing this issue for new customers and 2.90 is going to fix it for existing customers.

A vulnerability, which was classified as critical, has been found in Audi UTR Dashcam 2.0. Affected by this issue is some unknown functionality of the component Command API. The manipulation leads to improper access controls. This vulnerability is handled as CVE-2025-2557. The attack needs to be done within the local network. Furthermore, there is an exploit available. It is recommended to upgrade the affected component. The vendor was contacted early about these issues and acted very professional. Version 2.89 is fixing this issue for new customers and 2.90 is going to fix it for existing customers.

A vulnerability was found in go-redis up to 9.5.4/9.6.2/9.7.2 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improper input validation. This vulnerability is handled as CVE-2025-29923. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in D-Link DIR-618 and DIR-605L 2.02/3.02. This vulnerability affects unknown code of the file /goform/formAdvFirewall of the component Firewall Service. The manipulation leads to improper access controls. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability was named CVE-2025-2546. The attack needs to be approached within the local network. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability, which was classified as problematic, has been found in D-Link DIR-618 and DIR-605L 2.02/3.02. This issue affects some unknown processing of the file /goform/formAdvNetwork. The manipulation leads to improper access controls. This vulnerability only affects products that are no longer supported by the maintainer. The identification of this vulnerability is CVE-2025-2547. The attack can only be done within the local network. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability, which was classified as problematic, was found in D-Link DIR-618 and DIR-605L 2.02/3.02. Affected is an unknown function of the file /goform/formSetDomainFilter. The manipulation leads to improper access controls. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is traded as CVE-2025-2548. The attack can only be initiated within the local network. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability has been found in D-Link DIR-618 and DIR-605L 2.02/3.02 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /goform/formSetPassword. The manipulation leads to improper access controls. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is known as CVE-2025-2549. The attack needs to be done within the local network. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability was found in D-Link DIR-618 and DIR-605L 2.02/3.02 and classified as problematic. Affected by this issue is some unknown functionality of the file /goform/formSetDDNS of the component DDNS Service. The manipulation leads to improper access controls. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is handled as CVE-2025-2550. The attack needs to be initiated within the local network. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability was found in langgenius dify. It has been declared as critical. Affected by this vulnerability is the function vn.get_training_plan_generic of the component Vanna Module. The manipulation leads to code injection. This vulnerability is known as CVE-2025-0185. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as problematic was found in ollama up to 0.3.14. This vulnerability affects unknown code of the component GGUF Model Handler. The manipulation leads to improper validation of array index. This vulnerability was named CVE-2025-0313. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in significant-gravitas autogpt up to 0.3.x. Affected is an unknown function. The manipulation leads to command injection. This vulnerability is traded as CVE-2025-1040. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in mlflow up to 2.17.2. Affected by this issue is some unknown functionality of the file /graphql. The manipulation leads to resource consumption. This vulnerability is handled as CVE-2025-0453. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in One Click Order Re-Order Plugin up to 1.1.9 on WordPress. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-5641. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in Sola Plugins WP Tweet Walls up to 1.0.3 on WordPress. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2024-38344. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.