Aggregator

error code: 521

HackerNews 编译，转载请注明出处： Oligo安全公司发出警告，有攻击者正在利用开源人工智能框架Ray中一个存在两年的安全漏洞发起持续攻击，将感染集群的NVIDIA GPU变成可自我复制的加密货币挖矿僵尸网络。 这项代号为 ShadowRay 2.0 的攻击活动，是2023年9月至2024年3月期间观察到的上一波攻击的升级版。攻击的核心是利用一个严重的身份认证缺失漏洞（CVE-2023-48022，CVSS评分：9.8），来控制易受攻击的实例，并劫持其算力用于XMRig的非法加密货币挖矿。 由于一项与Ray开发最佳实践相一致的”长期设计决策”要求其必须在隔离网络中运行并仅执行可信代码，该漏洞至今未被修补。 该攻击活动通过向暴露在公网的Ray仪表盘上的未认证Ray作业提交API（”/api/jobs/”）提交恶意作业来实现，其命令范围从简单的侦察到复杂的多阶段Bash和Python有效负载。随后，被攻陷的Ray集群被用于”广撒网”式攻击，将有效负载分发到其他Ray仪表盘，从而形成一个本质上可以从一个受害者传播到另一个受害者的蠕虫。 研究发现，攻击者利用GitLab和GitHub来投送恶意软件，使用诸如”ironern440-group”和”thisisforwork440-ops”等名称创建代码库并存放恶意负载。这两个账户现均已无法访问。然而，网络犯罪分子通过创建新的GitHub账户来应对封禁措施，这显示了他们的顽固性以及快速恢复运营的能力。 这些有效负载进而利用该平台的编排能力，横向移动至不面向互联网的节点，传播恶意软件，创建到攻击者控制基础设施的反向Shell以实现远程控制，并通过一个每15分钟运行一次的定时任务来建立持久化，该任务会从GitLab拉取最新版本的恶意软件以重新感染主机。 研究人员Avi Lumelsky和Gal Elbaz表示，威胁行为者”已将Ray的合法编排功能转变为工具，用于运行一个可自我传播的全球加密货币劫持行动，该行动能在暴露的Ray集群间自主传播。” 该攻击活动很可能利用了大语言模型来创建GitLab有效负载。这一评估是基于恶意软件的”结构、注释和错误处理模式”得出的。 其感染链包含一个明确的检查，用以判断受害者是否位于中国。如果是，则投放一个针对该区域的特定版本恶意软件。它还旨在通过扫描运行的进程来寻找并终止其他加密货币挖矿程序，从而消除竞争——这是加密货币劫持组织广泛采用的一种策略，旨在最大化主机的挖矿收益。 另一个值得注意的特点是，攻击使用了多种技术来规避检测，包括将恶意进程伪装成合法的Linux内核工作进程，并将CPU使用率限制在60%左右。据信，该攻击活动可能自2024年9月以来就一直处于活跃状态。 尽管Ray本应部署在”受控的网络环境”中，但研究结果表明，用户正在将Ray服务器暴露在互联网上，这为不法分子打开了一个有利可图的攻击面。攻击者使用开源漏洞检测工具interact.sh来识别哪些Ray仪表盘IP地址是可利用的。目前，有超过230,500台Ray服务器可公开访问。 Ray的最初开发者Anyscale公司已发布了一款”Ray开放端口检查器”工具，用于验证集群配置是否正确，以防止意外暴露。其他缓解策略包括配置防火墙规则以限制未经授权的访问，并在Ray仪表盘端口（默认8265）之上增加授权机制。 Oligo指出：”攻击者部署了sockstress（一种TCP状态耗尽工具）来攻击生产网站。这表明被入侵的Ray集群正被武器化，用于发动拒绝服务攻击，目标可能是竞争矿池或其他基础设施。” “这使得该行动从纯粹的加密货币劫持转变为一个多用途僵尸网络。发动DDoS攻击的能力增加了另一种变现途径——攻击者可以出租DDoS容量，或利用它来消除竞争。目标端口3333通常被矿池使用，这表明攻击是针对竞争对手的挖矿基础设施。”     消息来源：thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

Роботу уже показали миллионы бытовых сценариев, но самое интересное начнется, когда он окажется в вашей гостиной.

error code: 521

HackerNews 编译，转载请注明出处： 威胁行为体正利用伪装成流行软件的虚假安装程序，诱骗用户安装恶意软件。这场全球性的恶意广告活动被命名为 TamperedChef。 根据安克提斯威胁研究单位的最新报告，此攻击的最终目的是建立持久性控制并投放JavaScript恶意软件，以实现远程访问和控制。这家总部位于新加坡的公司指出，该攻击活动仍在持续，新的恶意样本不断被发现，相关基础设施也保持活跃。 研究人员Darrel Virtusio和Jozsef Gegeny表示：”攻击操作者依赖社会工程学手段，使用日常应用程序名称、恶意广告、搜索引擎优化以及被滥用的数字证书，旨在增加用户信任并规避安全检测。” TamperedChef 是一场长期攻击活动的代号，该活动利用看似合法的各类实用工具安装程序，来传播一款同名的信息窃取恶意软件。据评估，它是代号为 EvilAI 的更大规模攻击行动的一部分，该行动使用与人工智能工具和软件相关的诱饵进行恶意软件传播。 为使这些假冒应用披上合法外衣，攻击者使用为在美国、巴拿马和马来西亚注册的空壳公司所颁发的代码签名证书对程序进行签名。当旧证书被吊销后，他们会以不同公司名义获取新证书。 安克提斯将此基础设施描述为”工业化且如同正规商业运作”，这有效帮助了操作者稳定地批量生成新证书，并利用人们对签名应用固有的信任，将恶意软件伪装成合法软件。 需要特别指出的是，TrueSec和G DATA追踪的这款名为TamperedChef的恶意软件，被Expel称为BaoLoader。它与最初作为EvilAI活动一部分分发、嵌入在恶意食谱应用中的原始TamperedChef恶意软件并不相同。 安克提斯向The Hacker News透露，他们选择使用TamperedChef来指代该恶意软件家族，因为此名称已被网络安全界广泛采纳。他们表示：”这有助于避免混淆，并与其他厂商现有的出版物和检测名称保持一致，这些厂商同样将该恶意软件家族称为TamperedChef。” 典型攻击流程如下： 用户在Bing等搜索引擎上搜索PDF编辑器或产品手册时，会看到恶意广告或被篡改的URL。点击后，用户会被引导至托管在NameCheap上的陷阱域名，这些域名会诱骗用户下载安装程序。 用户执行安装程序后，会被提示同意程序的许可条款。接着，在安装完成时，程序会打开一个新的浏览器标签页显示感谢信息，以维持骗局。然而，在后台，一个XML文件被释放，用于创建计划任务，该任务旨在启动一个经过混淆处理的JavaScript后门。 这个后门随即会连接到一个外部服务器，并通过HTTPS发送经过加密和Base64编码的JSON字符串，其中包含会话ID、机器ID和其他元数据等基本信息。 尽管如此，该攻击活动的最终目的仍然不甚明确。研究发现某些变种会协助进行广告欺诈，这表明了其背后的经济动机。威胁行为体也可能试图将其网络访问权限转售给其他网络犯罪分子，或者窃取敏感数据在地下论坛出售以实施欺诈。 遥测数据显示，大部分感染集中在美国，其次是以色列、西班牙、德国、印度和爱尔兰。医疗保健、建筑和制造业是受影响最严重的行业。 研究人员指出：”这些行业似乎对此类攻击活动尤其缺乏抵抗力，这可能是因为它们高度依赖专业性强、技术含量高的设备，这常常促使用户在线搜索产品手册——而这一行为正被TamperedChef攻击活动所利用。”   消息来源：thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability has been found in Ruijie RG-EG1000C, RG-EG2000F, RG-EG2000K, RG-EG2000L, RG-EG2000CE, RG-EG2000SE, RG-EG2000GE, RG-EG2000XE, RG-EG2000UE, RG-EG3000CE, RG-EG3000SE, RG-EG3000GE, RG-EG3000ME, RG-EG3000UE, RG-EG3000XE, RG-EG2100-P, EG3210, EG3220, EG3230, EG3250, NBR108G-P, NBR1000G-E, NBR1300G-E, NBR1700G-E, NBR2100G-E, NBR2500D-E, NBR3000D-E, NBR6120-E, NBR6135-E, NBR6205-E, NBR6210-E, NBR6215-E, NBR800G, NBR950G, NBR1000G-C, NBR2000G-C and NBR3000G-S and classified as critical. The affected element is an unknown function of the component EWEB Management System. This manipulation causes code injection. The identification of this vulnerability is CVE-2020-36870. It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability has been found in RainbowFish PacsOne Server up to 6.6.2 and classified as critical. This issue affects some unknown processing of the file nocache.php. The manipulation of the argument path leads to path traversal. This vulnerability is referenced as CVE-2018-25124. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability was found in SourceCodester Employee Records System 1.0 and classified as critical. Impacted is an unknown function of the file uploadID.php. The manipulation results in unrestricted upload. This vulnerability is identified as CVE-2021-4462. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability was found in gristlabs grist-core up to 1.7.6. It has been declared as problematic. Impacted is an unknown function of the file /compare. The manipulation results in incorrect authorization. This vulnerability is identified as CVE-2025-64753. The attack can be executed remotely. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability categorized as critical has been discovered in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution 5. Affected by this issue is some unknown functionality of the file /submit_checkout. Such manipulation of the argument order_total_amount/cart_total_amount leads to enforcement of behavioral workflow. This vulnerability is traded as CVE-2025-13239. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in GitLab Community Edition and Enterprise Edition up to 18.3.5/18.4.3/18.5.1. It has been classified as problematic. Affected by this issue is some unknown functionality of the component Packages API Endpoint. This manipulation causes missing authorization. This vulnerability is registered as CVE-2025-6171. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is recommended.

A vulnerability classified as critical has been found in WeiYe-Jing datax-web up to 2.1.2. This impacts the function remove/update/pause/start/triggerJob of the component Job Handler. Performing manipulation results in improper access controls. This vulnerability was named CVE-2025-13250. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability classified as critical was found in WeiYe-Jing datax-web up to 2.1.2. Affected is an unknown function. Executing manipulation can lead to sql injection. The identification of this vulnerability is CVE-2025-13251. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical has been found in DedeBIZ up to 6.3.2. This impacts an unknown function of the file /admin/templets_one_edit.php. The manipulation of the argument ids leads to sql injection. This vulnerability is referenced as CVE-2025-12859. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability classified as critical was found in DedeBIZ up to 6.3.2. Affected is an unknown function of the file /admin/freelist_main.php. The manipulation of the argument orderby results in sql injection. This vulnerability is identified as CVE-2025-12860. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability was found in Microsoft Playwright. It has been declared as problematic. This vulnerability affects unknown code. Executing manipulation can lead to improper verification of cryptographic signature. The identification of this vulnerability is CVE-2025-59288. The attack needs to be done within the local network. There is no exploit available. A patch should be applied to remediate this issue.

SonicWall has disclosed a critical stack-based buffer overflow vulnerability in its SonicOS SSLVPN service. That allows remote unauthenticated attackers to crash firewalls through denial-of-service attacks. The vulnerability was internally discovered and reported by SonicWall’s security team. The flaw, tracked as CVE-2025-40601, carries a CVSS score of 7.5 and affects multiple generations of SonicWall firewall products. Field […]

The post SonicOS SSLVPN Vulnerability Let Attackers Crash the Firewall Remotely appeared first on Cyber Security News.

OpenAI has launched GPT-5.1-Codex-Max, a specialized coding model designed to handle complex development tasks autonomously. The new system represents a significant leap in agentic AI capabilities, enabling machines to work on coding projects with minimal human intervention. GPT-5.1-Codex-Max operates differently from general-purpose AI models. Built specifically for software engineering, the model features compaction technology that enables it to […]

The post OpenAI Releases GPT-5.1-Codex-Max that Performs Coding Tasks Independently appeared first on Cyber Security News.

YAML（YAML Ain’t Markup Language™，YAML 不是标记语言）是一种人性化的数据序列化语言，与所有编程语言配合良好，用于日常任务，如配置文件、日志文件、跨语言数据共享和对象