Aggregator

A new report from Mandiant reveals that the average time-to-exploit vulnerabilities before or after a patch is released has plunged to just five days in 2023, down from 32 days in 2021 in 2022. One reason for this is the fact that, in 2023, exploitation of zero-day vulnerabilities (unknown to vendors, with no patches available) considerably outpaced the exploitation of n-day flaws (publicly disclosed bugs, with patches available). Another is that n-day exploitation continues to … More →

The post Defenders must adapt to shrinking exploitation timelines appeared first on Help Net Security.

为用户打造智慧、可信、透明的安全体验。

图片来源：安全客 趋势科技研究公司的一份最新报告指出，巴西出现了一种鱼叉式网络钓鱼活动，该活动结合使用了混淆 JavaScript 和 Astaroth 恶意软件，以各行各业的公司为目标。该活动背后的威胁行动者被追踪为 “Water Makara”，他们采用了复杂的技术来逃避检测，对该地区的制造企业、零售企业和政府机构构成了严重威胁。 该活动以伪装成官方税务通知或合规文件的网络钓鱼电子邮件开始，这种策略旨在引诱毫无戒心的用户。报告称，“这些电子邮件的附件通常伪装成个人所得税文件”，而这些附件中包含有害的 ZIP 文件。钓鱼邮件的主题行是 “Aviso de Irregularidade”（违规通知），诱骗收件人打开包含恶意 LNK 文件的 ZIP 文件。这些 LNK 文件被执行后，会通过 mshta.exe 工具运行嵌入的 JavaScript 命令，而 mshta.exe 工具是一个通常用于执行 HTML 应用程序的合法程序。 最终有效载荷为 Astaroth 恶意软件的鱼叉式网络钓鱼电子邮件示例 | 图片： 趋势科技研究 趋势科技研究人员解释说：“除了 LNK 文件外，ZIP 文件还包含另一个文件，其中有类似的混淆 JavaScript 命令，”这些命令在执行过程中会被解码，并连接到命令与控制（C&C）服务器以获取进一步的指令。 该活动的核心是 Astaroth，这是一种臭名昭著的银行木马，可窃取包括凭证和财务数据在内的敏感信息。一旦恶意软件站稳脚跟，它就会造成长期破坏，不仅包括数据盗窃，还包括监管罚款、业务中断和失去消费者信任。 报告说：“虽然 Astaroth 看起来像是一个古老的银行木马，但它的再次出现和持续演化使其成为一个持久的威胁。” Water Makara 采用了先进的混淆技术，使检测变得困难。研究人员发现，编码后的 JavaScript 命令会指向恶意 URL，如 patrimoniosoberano[.]world。这些 URL 采用了域名生成算法 (DGA)，这是网络犯罪分子用来创建大量域名从而逃避检测的一种策略。 巴西的制造业、零售业和政府部门是这一活动的主要目标。报告指出：“鱼叉式网络钓鱼活动主要针对巴西的公司，其中受影响最大的是制造公司、零售公司和政府机构。” 报告总结道：“Water Makara 的鱼叉式网络钓鱼活动依赖于不知情的用户点击恶意文件，这凸显了人类意识的关键作用。” 随着巴西继续面临来自复杂网络行为者的日益严重的威胁，防御这些极具针对性的鱼叉式网络钓鱼活动需要采取多层次的方法，将技术防御与强大的用户教育相结合。     转自安全客，原文链接：https://www.anquanke.com/post/id/300950 封面来源于网络，如有侵权请联系删除

Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released joint guidance on Product Security Bad Practices, a part of CISA’s Secure by Design initiative. This joint guidance supplies an overview of exceptionally risky product security bad practices for software manufacturers who produce software in support of critical infrastructure or national critical functions. 

The bad practices presented in this guidance are organized into three categories: product properties, security features, and organizational processes and policies. This guidance contains brief information about specific bad practices, recommended actions, and additional resources. While this guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices. 

CISA and FBI urge software manufacturers to reduce customer risk by prioritizing security throughout the product development process. For more information and resources, visit CISA.gov/SecureByDesign.

The public comment period begins today and concludes on December 16, 2024. During the comment period, members of the public can provide comments and feedback via the Federal Register.

Today, CISA—with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners—released joint Cybersecurity Advisory Iranian Cyber Actors Brute Force and Credential Access Activity Compromises Critical Infrastructure. This advisory provides known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by Iranian actors to impact organizations across multiple critical infrastructure sectors.

Since October 2023, Iranian actors have used brute force and password spraying to compromise user accounts and obtain access to organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

CISA and partners recommend critical infrastructure organizations follow the provided guidance, as well as ensure all accounts use strong passwords and register a second form of authentication.

For more information on Iranian state-sponsored threat actor activity, see CISA’s Iran Cyber Threat Overview and Advisories page. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including more recommended baseline protections.

One of the trickiest problems organizations face with securing their software supply chain is making risk decisions without really understanding where the biggest threats lie in their software, whether open source or commercial. Even with a full slate of application security testing (AST), without modernizing your approach with software supply chain security (SSCS) tools, it can be difficult to get a sweeping view of how all of the different deployed components and packages play into an overall threat posture.

The post Threat modeling and binary analysis: Supercharge your software risk strategy appeared first on Security Boulevard.

New NCSC CEO Dr Richard Horne warned in a speech that there is a widening gap between escalating threats and society’s ability to defend against them

Уязвимость возникает ещё до активации ключевых защитных элементов.

近日，研究人员在恶意事件中观察到一种名为 EDRSilencer 的红队操作工具。 EDRSilencer 识别安全工具后会将其向管理控制台发出的警报变更为静音状态。 网络安全公司 Trend Micro 的研究人员说，攻击者正试图在攻击中整合 EDRSilencer，以逃避检测。 被“静音”的EDR 产品 端点检测和响应（EDR）工具是监控和保护设备免受网络威胁的安全解决方案。 它们使用先进的分析技术和不断更新的情报来识别已知和新的威胁，并自动做出响应，同时向防御者发送有关威胁来源、影响和传播的详细报告。 EDRSilencer 是受 MdSec NightHawk FireBlock（一种专有的笔试工具）启发而开发的开源工具，可检测运行中的 EDR 进程，并使用 Windows 过滤平台（WFP）监控、阻止或修改 IPv4 和 IPv6 通信协议的网络流量。 WFP 通常用于防火墙、杀毒软件和其他安全解决方案等安全产品中，平台中设置的过滤器具有持久性。 通过自定义规则，攻击者可以破坏 EDR 工具与其管理服务器之间的持续数据交换，从而阻止警报和详细遥测报告的发送。 在最新版本中，EDRSilencer 可检测并阻止 16 种现代 EDR 工具，包括： 微软卫士 SentinelOne FortiEDR Palo Alto Networks Traps/Cortex XDR 思科安全端点（前 AMP） ElasticEDR Carbon Black EDR 趋势科技 Apex One 阻止硬编码可执行文件的传播，来源：趋势科技 趋势科技对 EDRSilencer 的测试表明，一些受影响的 EDR 工具可能仍能发送报告，原因是它们的一个或多个可执行文件未列入红队工具的硬编码列表。 不过，EDRSilencer 允许攻击者通过提供文件路径为特定进程添加过滤器，因此可以扩展目标进程列表以涵盖各种安全工具。 趋势科技在报告中解释说：在识别并阻止未列入硬编码列表的其他进程后，EDR 工具未能发送日志，这证实了该工具的有效性。 研究人员说：这使得恶意软件或其他恶意活动仍未被发现，增加了在未被发现或干预的情况下成功攻击的可能性。 EDRSilencer 攻击链，来源：趋势科技 趋势科技针对 EDRSilencer 的解决方案是将该工具作为恶意软件进行检测，在攻击者禁用安全工具之前阻止它。 此外，研究人员建议实施多层次的安全控制，以隔离关键系统并创建冗余，使用提供行为分析和异常检测的安全解决方案，在网络上寻找入侵迹象，并应用最小特权原则。     转自FreeBuf，原文链接：https://www.freebuf.com/news/412912.html 封面来源于网络，如有侵权请联系删除

从某品牌被疯狂暗刷看2024年品牌广告欺诈风险态势

Our founder Simon Moffatt will be a panellist at the Think Digital Identity and Cyber Security for Government event next week in London. The adoption of Post Quantum Cryptography (PQC) is a huge concern for organisations in both the public and private sectors. As the role of cryptography has risen in the past decade its […]

The post Preparing for Quantum Resilience appeared first on The Cyber Hut.

The post Preparing for Quantum Resilience appeared first on Security Boulevard.

A vulnerability was found in neuvector 3.1. It has been rated as critical. This issue affects some unknown processing of the component JWT Token Handler. The manipulation leads to generation of incorrect security tokens. The identification of this vulnerability is CVE-2023-32188. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Apache CloudStack up to 4.18.2.3/4.19.1.1. This vulnerability affects unknown code of the component Web Interface Logout. The manipulation leads to session expiration. This vulnerability was named CVE-2024-45462. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Apache CloudStack up to 4.18.2.3/4.19.1.1. Affected is an unknown function of the component Quota Plugin. The manipulation leads to improper access controls. This vulnerability is traded as CVE-2024-45461. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Accordion Slider Plugin up to 1.9.11 on WordPress. Affected by this issue is some unknown functionality of the component HTML Attribute Handler. The manipulation leads to HTML injection. This vulnerability is handled as CVE-2024-9582. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in File Manager Pro Plugin up to 8.3.9 on WordPress and classified as critical. Affected by this issue is some unknown functionality of the component JavaScript File Handler. The manipulation leads to unrestricted upload. This vulnerability is handled as CVE-2024-8918. The attack may be launched remotely. There is no exploit available.

据The Hacker News消息，与朝鲜相关的恶意软件 FASTCash正利用针对Linux的新变体实施攻击，目的是窃取资金。 研究人员表示，这种恶意软件安装在被入侵网络中处理银行卡交易的支付交换机上，以实施未授权的自动取款机提现交易。 美国相关机构于2018 年 10 月首次记录了 FASTCash，称至少自 2016 年底以来，有朝鲜背景的黑客组织Hidden Cobra就利用该恶意软件将非洲和亚洲地区的银行ATM作为攻击目标。在2017年的一起攻击事件中，该组织成功对位于 30 多个不同国家/地区的 ATM 机成功实施了攻击；2018年，同样的攻击又在 23 个不同国家的 ATM 机中上演。 虽然之前的 FASTCash仅适用于微软Windows系统和和 IBM AIX，但最新调查结果显示，新版本的恶意软件已经能够适用于Linux 系统，相关样本于 2023 年 6 月中旬首次提交到了 VirusTotal 平台。 该恶意软件为Ubuntu Linux 20.04 编译的共享对象（“libMyFc.so”）形式，攻击手法为篡改预定义的持卡人账号因资金不足而被拒绝的交易信息，并允许他们提取随机金额的土耳其里拉，每笔金额从 12000 到 30000 里拉（350 美元到 875 美元）不等 。 攻击示意图 Linux 变体的发现进一步强调了对足够强大的检测能力的需求，而 Linux 服务器环境中通常缺乏这些功能，建议对借记卡实施芯片和 PIN 要求、要求并验证发卡机构金融请求响应信息中的信息验证码，并对芯片和 PIN 交易执行授权响应加密验证。 参考来源：New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists     转自FreeBuf，原文链接：https://www.freebuf.com/news/412963.html 封面来源于网络，如有侵权请联系删除

Akamai has unveiled the availability of its Behavioral DDoS Engine for the App & API Protector solution. This new capability leverages machine learning for automatic, proactive protection against application-layer DDoS attacks. Behavioral DDoS Engine offers advanced detection and mitigation by analyzing anomalies and correlating multidimensional traffic data, ensuring robust defense against sophisticated and evolving DDoS threats. The engine provides customized, hands-off protection tailored to specific traffic baselines and risk sensitivities, minimizing manual intervention. Powered by … More →

The post Akamai releases Behavioral DDoS Engine for App & API Protection appeared first on Help Net Security.

A vulnerability, which was classified as problematic, has been found in Oracle GraalVM and Java SE. This issue affects some unknown processing of the component Networking. The manipulation leads to denial of service. The identification of this vulnerability is CVE-2024-21208. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.