Aggregator

CVE-2024-11689 | caagsoftware HQ Rental Software Plugin up to 1.5.29 on WordPress Setting displaySettingsPage cross-site request forgery

Vuldb Updates
9 months 3 weeks ago
A vulnerability classified as problematic was found in caagsoftware HQ Rental Software Plugin up to 1.5.29 on WordPress. This vulnerability affects the function displaySettingsPage of the component Setting Handler. The manipulation leads to cross-site request forgery. This vulnerability was named CVE-2024-11689. The attack can be initiated remotely. There is no exploit available.
vuldb.com

ChatGPT Operator Prompt Injection Exploit Leaks Private Data

GBHackers on Security | #1 Globally Trusted Cyber Security News Platform
9 months 3 weeks ago

According to recent findings by cybersecurity researcher Johann Rehberger, OpenAI’s ChatGPT Operator, an experimental agent designed to automate web-based tasks, faces critical security risks from prompt injection attacks that could expose users’ private data. In a demonstration shared exclusively with OpenAI last month, Rehberger showcased how malicious actors could hijack the AI agent to extract […]

The post ChatGPT Operator Prompt Injection Exploit Leaks Private Data appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Divya

CVE-2024-11901 | cyberlord92 PowerBI Embed Reports Plugin up to 1.1.7 on WordPress Shortcode MO_API_POWER_BI cross site scripting

Vuldb Updates
9 months 3 weeks ago
A vulnerability, which was classified as problematic, has been found in cyberlord92 PowerBI Embed Reports Plugin up to 1.1.7 on WordPress. This issue affects the function MO_API_POWER_BI of the component Shortcode Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-11901. The attack may be initiated remotely. There is no exploit available.
vuldb.com

Cybersecurity jobs available right now: February 18, 2025

Help Net Security
9 months 3 weeks ago

Airport Cybersecurity Engineer II Salt Lake City Corporation | USA | On-site – View job details As an Airport Cybersecurity Engineer II, you will develop and implement policies, procedures, and training plans for security and network administration. Assess and mitigate cybersecurity threats. Manage incident response and recovery plans. Application Security Architect WalkMe | Israel | Hybrid – View job details As an Application Security Architect, you will conduct design and code reviews to ensure secure … More →

The post Cybersecurity jobs available right now: February 18, 2025 appeared first on Help Net Security.

Anamarija Pogorelec

微软:黑客在设备代码钓鱼攻击中窃取电子邮件

嘶吼
9 months 3 weeks ago

据安全研究员观察发现,一个可能与俄罗斯有关联的威胁者发起的活跃攻击活动,正利用设备代码钓鱼手段针对个人微软 365 账户进行攻击。

这些攻击目标涉及欧洲、北美、非洲和中东地区的政府、非政府组织、信息技术服务和科技、国防、电信、医疗以及能源/石油和天然气行业。

微软威胁情报中心将此次设备代码钓鱼活动背后的威胁者追踪为“风暴-237”。基于受害者特征和作案手法,研究人员认为,该活动与符合俄罗斯利益的国家行为有关。

设备代码钓鱼攻击

输入受限设备——那些缺少键盘或浏览器支持的设备,比如智能电视和某些物联网设备,依靠代码认证流程让用户通过在另一台设备(如智能手机或电脑)上输入授权码来登录应用程序。

微软研究人员发现,自去年 8 月以来,Storm-2372 通过诱骗用户在合法的登录页面输入攻击者生成的设备代码,滥用这种身份验证流程。

这些特工人员首先通过在 WhatsApp、Signal 和 Microsoft Teams 等消息平台上“冒充与目标有关的知名人士”与目标建立联系,然后才发起攻击。

Storm-2372发送到目标的消息

威胁者会在通过电子邮件或短信发送虚假的在线会议邀请之前,与受害者逐渐建立起一种融洽的关系。根据研究人员的说法,受害者收到一个团队会议邀请,其中包括攻击者生成的设备代码。

微软表示:“这些邀请会引诱用户完成设备代码认证请求,模拟消息传递服务,这为Storm-2372提供了对受害者账户的初始访问权限,并启用了Graph API数据收集活动,如电子邮件收集。”

只要被盗的令牌有效,黑客就可以在不需要密码的情况下访问受害者的微软服务(电子邮件、云存储)。

设备代码网络钓鱼攻击概述

然而,微软表示,攻击者现在正在设备代码登录流中使用Microsoft Authentication Broker的特定客户端ID,这允许他们生成新的令牌。

这开启了新的攻击和持久化可能性,因为攻击者可以使用客户端ID将设备注册到微软基于云的身份和访问管理解决方案Entra ID。

使用相同的刷新令牌和新的设备标识,Storm-2372能够获得主刷新令牌(PRT)并访问其资源。目前已经观察到Storm-2372使用连接的设备收集电子邮件。

防御风暴2372

为了对抗Storm-2372使用的设备代码钓鱼攻击,微软建议在可能的情况下阻止设备代码流,并在微软Entra ID中执行条件访问策略,以限制其对可信设备或网络的使用。

如果怀疑设备代码网络钓鱼,立即使用‘revokeSignInSessions’撤销用户的刷新令牌,并设置条件访问策略来强制受影响的用户重新认证。

最后,使用Microsoft Entra ID的登录日志来监视并快速识别短时间内大量的身份验证尝试、来自无法识别的ip的设备代码登录,以及发送给多个用户的设备代码身份验证的意外提示。

胡金鱼

Managed ad