Aggregator

致力于第一时间为企业级用户提供权威漏洞情报和有效解决方案。

致力于第一时间为企业级用户提供权威漏洞情报和有效解决方案。

致力于第一时间为企业级用户提供权威漏洞情报和有效解决方案。

HackerNews 编译，转载请注明出处： 一项新调查发现，一种名为Raspberry Robin的恶意软件与近200个独特的命令与控制（C2）域名相关联。 “Raspberry Robin（也被称为Roshtyak或Storm-0856）是一个复杂且不断演变的威胁行为者，为众多犯罪团伙提供初始访问代理（IAB）服务，其中许多团伙与俄罗斯有联系，”Silent Push在一份与The Hacker News共享的报告中表示。 自2019年出现以来，该恶意软件已成为SocGholish、Dridex、LockBit、IcedID、BumbleBee和TrueBot等恶意软件的传播渠道。它还被称为QNAP蠕虫，因为它利用被攻破的QNAP设备来获取有效载荷。 多年来，Raspberry Robin的攻击链增加了一种新的分发方式，即通过Discord消息服务发送的附件中的存档和Windows脚本文件下载，此外还获取了一天漏洞来实现本地权限提升，这些漏洞在公开披露之前就被利用。 也有证据表明，该恶意软件作为按安装付费（PPI）的僵尸网络提供给其他行为者，以分发下一阶段的恶意软件。 此外，Raspberry Robin感染还纳入了一种基于USB的传播机制，即使用包含伪装成文件夹的Windows快捷方式（LNK）文件的被攻破的USB驱动器来激活恶意软件的部署。 美国政府已经透露，被追踪为Cadet Blizzard的俄罗斯国家级威胁行为者可能使用Raspberry Robin作为初始访问促进器。 Silent Push在其与Team Cymru共同进行的最新分析中发现了一个用于连接所有被攻破的QNAP设备的数据中继IP地址，最终发现了超过180个独特的C2域名。 “这个单一IP地址通过Tor中继连接，这可能是网络运营商发布新命令并与被攻破设备交互的方式，”该公司表示。“用于此中继的IP位于一个欧盟国家。” 对基础设施的深入调查表明，Raspberry Robin的C2域名很短，例如q2[.]rs、m0[.]wf、h0[.]wf和2i[.]pm，并且它们在被攻破的设备和IP之间快速轮换，使用一种称为快速通量的技术，以使它们难以被关闭。 Raspberry Robin的一些顶级域名（TLD）包括.wf、.pm、.re、.nz、.eu、.gy、.tw和.cx，域名使用Sarek Oy、1API GmbH、NETIM、Epag[.]de、CentralNic Ltd和Open SRS等小众注册商注册。大多数已识别的C2域名的域名服务器位于一家名为ClouDNS的保加利亚公司。 “Raspberry Robin被俄罗斯政府威胁行为者使用，与其与无数其他严重威胁行为者合作的历史相符，其中许多与俄罗斯有联系，”该公司表示。“这些包括LockBit、Dridex、SocGholish、DEV-0206、Evil Corp（DEV-0243）、Fauppod、FIN11、Clop Gang和Lace Tempest（TA505）。”   消息来源：The Hacker News；  本文由 HackerNews.cc 翻译整理，封面来源于网络；   转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability, which was classified as problematic, has been found in Plume CMS up to 1.2.4. This issue affects some unknown processing. The manipulation of the argument c_author leads to cross site scripting. The identification of this vulnerability is CVE-2012-2156. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as problematic, has been found in extendthemes Colibri Page Builder Plugin up to 1.0.276 on WordPress. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-5038. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in wcmp MultiVendorX Marketplace Plugin up to 4.1.11 on WordPress. Affected is an unknown function. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-5259. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Plume CMS up to 1.2.4. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2012-1414. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in wpdevteam Essential Addons for Elementor Plugin up to 5.9.22 on WordPress. It has been classified as problematic. This affects the function get_manual_calendar_events. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-5188. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in denoland deno 1.44.0 and classified as problematic. This issue affects some unknown processing of the component npmrc Handler. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2024-37150. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in SuluFormBundle up to 2.5.2. It has been rated as problematic. Affected by this issue is the function TokenController of the component GET Parameter Handler. The manipulation of the argument formName leads to basic cross site scripting. This vulnerability is handled as CVE-2024-37156. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in WP Mobile Menu Plugin up to 2.8.4.2 on WordPress. It has been classified as problematic. This affects an unknown part of the component Image Alt Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-3987. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Clever Fox Plugin up to 25.2.0 on WordPress. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-1768. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel Plugin up to 2.2.80 on WordPress and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-1988. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Emerson PACSystem RXi, PACSystem RSTi-EP and Fanuc VersaMax. Affected by this issue is some unknown functionality. The manipulation leads to insufficiently protected credentials. This vulnerability is handled as CVE-2022-30266. It is possible to launch the attack on the physical device. There is no exploit available. It is recommended to change the configuration settings.

A vulnerability was found in WP jQuery Lightbox Plugin up to 1.5.4 on WordPress. It has been rated as problematic. This issue affects some unknown processing of the component Attribute Handler. The manipulation of the argument Title leads to cross site scripting. The identification of this vulnerability is CVE-2024-5425. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in lunary-ai lunary. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to weak password recovery. This vulnerability is known as CVE-2024-5277. The attack can be launched remotely. There is no exploit available.