Aggregator

September 2024 Patch Tuesday forecast: Downgrade is the new exploit

Help Net Security
5 months ago

I asked for a calm August 2024 Patch Tuesday in last month’s forecast article and that came to pass. The updates released were limited to the regular operating systems and all forms of Office applications. Six zero-day vulnerabilities were announced, with five in the operating systems and one in the Office applications. There were 63 CVEs addressed in the Windows 10 operating systems and associated servers and 55 CVEs addressed in Windows 11. Overall, it … More →

The post September 2024 Patch Tuesday forecast: Downgrade is the new exploit appeared first on Help Net Security.

Help Net Security

CVE-2024-44953 | Linux Kernel up to 6.10.4 scsi kworker/0 ufshcd_rpm_get_sync deadlock (f13f1858a28c/3911af778f20)

Vuldb Updates
5 months ago
A vulnerability was found in Linux Kernel up to 6.10.4. It has been declared as critical. Affected by this vulnerability is the function ufshcd_rpm_get_sync of the file kworker/0 of the component scsi. The manipulation leads to deadlock. This vulnerability is known as CVE-2024-44953. Access to the local network is required for this attack to succeed. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2024-44954 | Linux Kernel up to 6.10.4 line6 Privilege Escalation

Vuldb Updates
5 months ago
A vulnerability was found in Linux Kernel up to 6.10.4. It has been rated as problematic. Affected by this issue is some unknown functionality of the component line6. The manipulation leads to Privilege Escalation. This vulnerability is handled as CVE-2024-44954. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

Human firewalls are essential to keeping SaaS environments safe

Help Net Security
5 months ago

Businesses run on SaaS solutions: nearly every business function relies on multiple cloud-based tech platforms and collaborative work tools like Slack, Google Workspace apps, Jira, Zendesk and others. We recently surveyed security leaders and CISOs on top data security priorities and challenges. We discovered that over 70% work in organizations using 50 or more SaaS solutions, and nearly a third of the respondents reported their organization’s SaaS environments include 200 or more apps. With so … More →

The post Human firewalls are essential to keeping SaaS environments safe appeared first on Help Net Security.

Help Net Security

Respotter: Open-source Responder honeypot

Help Net Security
5 months ago

Respotter is an open-source honeypot designed to detect attackers when they launch Responder within your environment. This application identifies active instances of Responder by exploiting its behavior when responding to any DNS query. Respotter leverages LLMNR, mDNS, and NBNS protocols to query a non-existent hostname (default: Loremipsumdolorsitamet). If any of these requests receive a response, Responder is likely operating on your network. Respotter can send webhooks to Slack, Teams, or Discord. It also supports sending … More →

The post Respotter: Open-source Responder honeypot appeared first on Help Net Security.

Mirko Zorz

Pavel Durov Criticizes Outdated Laws After Arrest Over Telegram Criminal Activity

The Hackers News
5 months ago
Telegram CEO Pavel Durov has broken his silence nearly two weeks after his arrest in France, stating the charges are misguided. "If a country is unhappy with an internet service, the established practice is to start a legal action against the service itself," Durov said in a 600-word statement on his Telegram account. "Using laws from the pre-smartphone era to charge a CEO with crimes committed
The Hacker News

研究人员发现 SQL 注入可绕过机场 TSA 安全检查

嘶吼
5 months ago

安全研究人员发现了 FlyCASS 中的漏洞,FlyCASS 是一项第三方网络服务,一些航空公司使用它来管理已知机组人员 (KCM) 计划和驾驶舱进入安全系统 (CASS)。

KCM 是一项运输安全管理局 (TSA) 计划,允许飞行员和乘务员跳过安全检查,而 CASS 允许授权飞行员在旅行时使用驾驶舱中的折叠座椅。

KCM 系统通过在线平台验证航空公司员工的证件。该过程包括扫描 KCM 条形码或输入员工编号,然后与航空公司的数据库进行交叉核对以授予访问权限,而无需进行安全检查。同样,CASS 系统在飞行员需要通勤或旅行时验证他们是否有权进入驾驶舱折叠座椅。

研究人员发现 FlyCASS 的登录系统容易受到 SQL 注入攻击,这种漏洞可让攻击者插入 SQL 语句进行恶意数据库查询。通过利用此漏洞,他们可以以参与的航空公司 Air Transport International 的管理员身份登录,并在系统内操纵员工数据。

他们添加了一个虚构的员工“Test TestOnly”,并授予该帐户访问 KCM 和 CASS 的权限,这实际上使他们能够“跳过安全检查,然后进入商用客机的驾驶舱”。

据了解,目前任何具备 SQL 注入基本知识的人都可以登录该网站,并将任何人添加到 KCM 和 CASS,这样他们既可以跳过安全检查,又可以进入商用客机的驾驶舱。

意识到问题的严重性后,研究人员立即开始了披露流程,并于 2024 年 4 月联系了相关机构。他们承认了漏洞的严重性,并确认 FlyCASS 已于 2024 年 5 月 7 日与 KCM/CASS 系统断开连接,作为预防措施。

不久之后,FyCASS 上的漏洞得到了修复。然而,在进一步协调安全披露漏洞时却遭到了抵制。

TSA 新闻办公室还向研究人员发送了一份声明,否认该漏洞的影响,声称该系统的审查过程将防止未经授权的访问。在得到研究人员的通知后,TSA 还悄悄地从其网站上删除了与其声明相矛盾的信息。

该漏洞可能会导致更广泛的安全漏洞,例如更改现有的 KCM 成员资料以绕过对新成员的任何审查程序。

研究人员的报告发布后,另一位研究人员发现,FlyCASS 似乎在 2024 年 2 月遭受了 MedusaLocker 勒索软件攻击,Joe Sandbox 分析显示了加密文件和勒索信。

今年 4 月,TSA 获悉一份报告称,第三方数据库中存在一个漏洞,其中包含航空公司机组人员信息,通过对该漏洞的测试,一个未经验证的姓名被添加到了数据库的机组人员名单中。目前,政府数据或系统没有受到损害,这些活动也没有对交通安全造成影响。

截止到发稿前,TSA 已制定程序来验证机组人员的身份,只有经过验证的机组人员才被允许进入机场的安全区域。

胡金鱼

The true cost of cybercrime for your business

Help Net Security
5 months ago

As cybercriminals continue to refine their methods, blending traditional strategies with new technologies, the financial toll on individuals and organizations has reached alarming levels. Businesses are also grappling with mounting cybercrime costs from ransomware and DDoS attacks, which can inflict hundreds of thousands of dollars in damage within minutes. These statistics highlight a growing concern: as cybercrime costs rise and threats become more complex and widespread, they impact organizations of all sizes. Old methods, new … More →

The post The true cost of cybercrime for your business appeared first on Help Net Security.

Help Net Security

黑客通过 PWA 应用窃取 iOS、Android 用户的银行凭证

嘶吼
5 months ago

近期,安全研究人员发现威胁者开始使用渐进式 Web 应用程序冒充银行应用程序并窃取 Android 和 iOS 用户的凭据。

渐进式 Web 应用程序 (PWA) 是跨平台应用程序,可以直接从浏览器安装,并通过推送通知、访问设备硬件和后台数据同步等功能提供类似原生的体验。

在网络钓鱼活动中使用此类应用程序可以逃避检测,绕过应用程序安装限制,并获得设备上危险权限的访问权限,而无需向用户提供可能引起怀疑的标准提示。

该技术于 2023 年 7 月在波兰首次被发现,而同年 11 月发起的后续活动则针对捷克用户。

网络安全公司 ESET 报告称,它目前正在追踪两个依赖这种技术的不同活动,一个针对匈牙利金融机构 OTP Bank,另一个针对格鲁吉亚的 TBC Bank。

然而,这两起攻击活动似乎是由不同的威胁分子发起的。其中一个组织使用不同的命令和控制 (C2) 基础设施来接收被盗凭证,而另一个组织则通过 Telegram 记录被盗数据。

感染链

ESET 表示,这些活动依靠多种方法来接触目标受众,包括自动呼叫、短信(短信网络钓鱼)以及 Facebook 广告活动中精心制作的恶意广告。

在前两种情况下,网络犯罪分子会用虚假消息诱骗用户,称他们的银行应用程序已过时,出于安全原因需要安装最新版本,并提供下载钓鱼 PWA 的 URL。

PWA 活动感染流程

在社交媒体上发布恶意广告的情况下,威胁分子使用冒充的银行官方吉祥物来诱导合法感,并宣传限时优惠,例如安装所谓关键应用更新即可获得金钱奖励。

网络钓鱼活动中使用的恶意广告之一

根据设备(通过 User-Agent HTTP 标头验证),点击广告会将受害者带到虚假的 Google Play 或 App Store 页面。

虚假的 Google Play 安装提示(左)和进度(右)

点击“安装”按钮会提示用户安装一个伪装成银行应用程序的恶意 PWA。在某些情况下,在 Android 上,恶意应用程序以 WebAPK(由 Chrome 浏览器生成的原生 APK)的形式安装。

网络钓鱼应用程序使用官方银行应用程序的标识符(例如,看似合法的登录屏幕徽标),甚至将 Google Play Store 声明为该应用程序的软件来源。

恶意 WebAPK(左)和钓鱼登录页面(右)

在移动设备上使用 PWA 的吸引力

PWAs 旨在跨多个平台运行,因此攻击者可以通过单一网络钓鱼活动和有效载荷瞄准更广泛的受众。

不过,其主要好处在于可以绕过谷歌和苹果对官方应用商店之外的应用安装限制,以及可能提醒受害者注意潜在风险的“从未知来源安装”警告提示。

PWAs 可以紧密模仿原生应用的外观和感觉,尤其是在 WebAPK 的情况下,图标上的浏览器徽标和应用内的浏览器界面都是隐藏的,因此几乎不可能将其与合法应用程序区分开来。

PWA(左)和合法应用程序(右)

WebAPK 难以区分,因为它们的图标中没有 Chrome 徽标。这些 Web 应用可以通过浏览器 API 访问各种设备系统,例如地理位置、摄像头和麦克风,而无需从移动操作系统的权限屏幕请求这些权限。

最终,攻击者可以在无需用户交互的情况下更新或修改 PWA,从而允许动态调整网络钓鱼活动以获得更大的成功。

滥用 PWAs 进行网络钓鱼是一种危险的新兴趋势,随着越来越多的网络犯罪分子意识到其潜力和优势,这种趋势可能会发展到新的程度。

胡金鱼

Managed ad