Hello Hacking8!

This new version of pdf-parser fixes a couple of bug and has a work around for non compliant PDFs.
pdf-parser_V0_7_6.zip (http)
MD5: 3B6F837AF147422B1256596BCA69D737
SHA256: 34379A9987B2286706AF4C43AC72C93611AE3E9C0C571DD729EBB09C7A707A0D

Article Link: Update: pdf-parser.py Version 0.7.6 | Didier Stevens
1 post - 1 participant
Read full topic
这个新版本的 pdf 解析器修复了一些 bug，并且为不兼容的 pdf 文件提供了一个解决方案。
Pdf-parser _ v0 _ 7 _ 6.zip (http)
MD5:3B6F837AF147422B1256596BCA69D737
SHA256:34379A9987B2286706AF4C43AC72C93611AE3E9C0C571DD729EBB09C7A707A0D

文章链接: 更新: pdf-parser.py Version 0.7.6 | Didier Stevens
1名1岁以后的参与者
阅读完整主题

师傅们，jdbc的URL可控有啥方法能jndi注入不，能加载Oracle数据库驱动类和MySQL数据库驱动类

Xavier’s diary entry “A ‘Zip Bomb’ to Bypass Security Controls & Sandboxes” reminded me of something. I’ve seen huge PE files like Xavier saw, but I’ve also seen a couple of huge PE files that are signed. I will explain here how you can reduce their size.
Article Link: InfoSec Handlers Diary Blog - SANS Internet Storm Center
1 post - 1 participant
Read full topic
Xavier 的日记“ a‘ Zip Bomb’to pass Security Controls & sandbox”让我想起了一些事情。我见过像 Xavier 那样的巨大的 PE 文件，但我也见过一些有签名的巨大 PE 文件。我将在这里解释如何减小它们的尺寸。
文章链接: InfoSec 处理程序日志博客-SANS 互联网风暴中心
1名1岁以后的参与者
阅读完整主题

经过了为期一年代号为“黛利拉行动”（Operation Delilah）的调查，尼日利亚警方于近日在拉各斯的穆尔塔拉•穆罕默德国际机场逮捕了一名37岁男子，该男子是网络犯罪团伙SilverTerrier（又名TMT）的疑似头目。本次抓捕行动得到了几家全球大型网络安全公司（包括Group-IB, Palo Alto Networks Unit 42和Trend Micro）的支持。 SilverTerrier是一个拥有数百人成员规模的团伙，自2014年进入公众视野以来它就一直相当活跃，该团伙十分注重于商业电子邮件犯罪（BEC）。2020年5月，这个团伙曾发动过一次引发广泛关注的攻击。当时，Palo Alto Networks的研究人员观察到，团伙以COVID-19为诱饵对全球医疗机构和政府组织发动了攻击。 在此之前，2020年11月，国际刑警组织领导了打击SilverTerrier团伙的“猎鹰行动”（Operation Falcon）。此后，在“猎鹰二号行动”中，国际刑警组织逮捕了SilverTerrier团伙的15名成员。 “尼日利亚逮捕了这名著名的网络罪犯，这证明了我们的国际执法联盟和国际刑警组织的私营部门伙伴在打击网络犯罪方面长期不懈的努力收到了成果”，尼日利亚警察部门助理总督察、国际刑警组织尼日利亚国家中央局局长、国际刑警组织执行委员会非洲事务副主席Garba Baba Umar这样对媒体说道。 这名助理总督察还补充说道:“我希望这次‘黛利拉行动’能震慑全世界的网络罪犯，执法部门将继续追捕他们，这次逮捕行动也将为相关受害者带来慰藉。” 对此，国际刑警组织负责网络犯罪行动的助理主任Bernardo Pillot也表达了自己观点，“这起案件让我们看到了网络犯罪的全球化属性，以及通过全球到区域打击网络犯罪的行动方法的重要性。网络犯罪不是我们195个成员国中的任何一个可以单独面对的威胁，只有国家执法机构、私营部门合作伙伴和国际刑警组织共同坚持不懈地努力，才可以取得良好的结果。” 转自 Freebuf，原文链接：https://www.freebuf.com/news/334370.html 封面来源于网络，如有侵权请联系删除

🍵 Gitea repository migration remote command execution exploit.

pydumpck is a multi-threads tool for decompile exe,elf,pyz,pyc packed by python which is base on pycdc and uncompyle6.sometimes its py-file result …

List/Read contents of Zip files (in memory and without extraction) using CobaltStrike's Execute-Assembly

Cybereason is constantly innovating to ensure that our customers can achieve the utmost efficacy and efficiency in their security programs. The latest release of the Cybereason Defense Platform is packed with enhancements, including improvements to query results, sensor management, updated workflows, and expanded support for Linux. Customers can read the complete release notes on The Nest.
Article Link: Cybereason Improves Investigation, Enhances Protection and Infrastructure Management
1 post - 1 participant
Read full topic
赛博易迅不断创新，以确保我们的客户可以实现最高的效率和效力，在他们的安全计划。最新版本的 Cybereason 防御平台充满了改进，包括对查询结果、传感器管理、更新的工作流程的改进，以及对 Linux 的扩展支持。客户可以在 The Nest 上阅读完整的发布说明。
文章链接: 网络地役权改善调查，加强保护和基础设施管理
1名1岁以后的参与者
阅读完整主题

The Senate Armed Services Committee on Tuesday advanced President Joe Biden’s pick to be the next No. 2 at U.S. Cyber Command.
The panel voted by voice vote to approve Sixteenth Air Force (Air Forces Cyber) chief Lt. Gen. Timothy Haugh to be Cyber Command’s new deputy as part of an en bloc list of more than 3,400 pending military nominations.
The committee also approved Navy Rear Adm. Craig Clapperton to become a vice admiral and the next head of Fleet Cyber Command.
Clapperton, who, like Haugh, did not have a confirmation hearing, would become the sixth chief of the service’s digital warfighting branch since it was established in 2010.
Both nominations, which were made just last month, now go to the Senate floor for a confirmation vote.
Haugh is considered to be the most likely successor to Cyber Command and National Security Agency chief Army Gen. Paul Nakasone.
Before overseeing the creation of the service’s first information warfare entity, Haugh served in a number of senior roles at the command, includin

Interpol said Wednesday that it struck a major blow against a cybercrime group known for business email compromise (BEC) scams aimed at stealing money from companies around the world.
The international law enforcement agency announced that the cybercrime unit of Nigeria’s national police arrested a 37-year-old Nigerian man suspected to be the leader of a BEC group known as SilverTerrier to cybersecurity researchers.
The unidentified suspect “is alleged to have run a transnational cybercrime syndicate that launched mass phishing campaigns and business email compromise schemes targeting companies and individual victims,” Interpol said.
Palo Alto Networks’ Unit 42, one of the cybersecurity companies that assisted in the investigation, posted a photo of the suspect but did not identify him. Three other companies — Trend Micro, Group-IB and CyberTOOLBELT — also collaborated with law enforcement, authorities said.
The operation is the latest in a series of counter-BEC actions that most recently included the apprehe

The US government must clean up ransomware reporting and data collection if it wants to devise adequate policy responses.
Article Link: Data on ransomware attacks is 'fragmented and incomplete' warns Senate report | ZDNet
1 post - 1 participant
Read full topic
如果美国政府想要制定充分的政策回应，它必须清理勒索软件的报告和数据收集。
文章链接: 参议院报告警告说，勒索软件攻击的数据“支离破碎且不完整”
1名1岁以后的参与者
阅读完整主题

Jared Rittle of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into…



[[ This is only the beginning! Please visit the blog for the complete entry ]]
Article Link: Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
1 post - 1 participant
Read full topic
发现了这些漏洞。
思科 Talos 最近在开放自动化软件平台上发现了8个漏洞，这些漏洞可能允许敌人进行各种恶意行为，包括不正确地对..。



[这仅仅是个开始! 请访问我的博客查看完整的条目]
文章链接: Cisco Talos Intelligence Group-Comprehensive Threat Intelligence: Vulnerability Spotlight: Vulnerability in Open Automation Software Platform could lead to information disclosure，分布式拒绝服务攻击
1名1岁以后的参与者
阅读完整主题

Internet service in Pakistan is being artificially limited as the government seeks to shut down protests organized by former Prime Minister Imran Khan, who became the first leader in the country’s history to be removed from office in a no-confidence motion in parliament on April 10.
NetBlocks, an organization that tracks internet outages across the world, said there were disruptions to service from multiple providers across Pakistan after 5 p.m. local time Wednesday.
Alp Toker, director of NetBlocks, told The Record that real-time network data showed the restriction coming into effect across multiple providers “in a pattern consistent with an intentional disruption to service.”
⚠️ Confirmed: Real-time network data show internet disruptions across #Pakistan as ousted Prime Minister Imran Khan organizes mass rallies; metrics show impact to multiple providers in cities including Karachi, Lahore and Islamabad #LongMarch

Report: https://t.co/FVFwtxUzLp pic.twitter.com/0ScS8krmuy
— NetBlocks (@netblocks) May 25, 2

根据美国参议院委员会的一份新报告，美国政府缺乏关于勒索软件攻击的全面数据，而且现有的报告比较分散。美国国土安全部和公共事务委员会近日发布了一份 51 页的报告，呼吁政府迅速实施新的授权，要求联邦机构和关键基础设施组织在遭遇勒索软件之后必须上报，以及需要支付的赎金。 为了撰写这份报告，委员会进行了为期 10 个月的调查，并重点关注加密货币在勒索软件支付中的作用。结果发现有关攻击的报告是“零散且不完整”的，部分原因是 FBI 和 CISA 都声称拥有“一站式服务” 报告攻击的网站——分别是 IC3.gov 和 StopRansomware.gov。 新法律要求关键基础设施组织在 72 小时内向 CISA 报告网络攻击，并在 24 小时内向 CISA 报告勒索软件的赎金。CISA 在 3 月份表示将立即与 FBI 分享事件报告，但调查发现这种安排存在缺陷。 报告指出：“虽然这些机构声明他们彼此共享数据，但在与委员会工作人员的讨论中，勒索软件事件响应公司质疑此类通信渠道对协助攻击受害者的影响的有效性”。 除了 FBI 和 CISA 的双重报告职能之外，财政部的 FinCEN、运输安全管理局和证券交易委员会还有针对特定部门的报告制度，以及通过 FBI 外地办事处和一些州政府的报告。报告指出：“这些机构没有统一捕获、分类或公开共享信息。” 它指出，专家认为 FBI 关于勒索软件的 IC3 数据是数据的“子集”。 FBI 在其年度 IC3 报告中承认其勒索软件数据“人为地低”，因为受害者只是自愿向 FBI 报告事件。与此同时，收集勒索软件受害者报告的 FBI 外地办事处在后续调查期间与约 25% 的受害者失去了联系。 转自 cnBeta，原文链接：https://www.cnbeta.com/articles/tech/1273865.htm 封面来源于网络，如有侵权请联系删除

Microsoft says it’s recorded a massive increase in XorDDoS activity (254 percent) in the last six months. XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie (MMD).
MMD believed the Linux Trojan originated in China. Based on a case study in 2015, Akamai strengthened the theory that the malware may be of Asian origin based on its targets.
Microsoft said that XorDDoS continues to home on Linux-based systems, demonstrating a significant pivot in malware targets. Since Linux is deployed on many IoT (Internet of Things) devices and cloud infrastructures, we are likely to see DDoS (distributed denial-of-system) attacks from botnets that have compromised such devices.
DDoS attacks—where normal Internet traffic to a targeted server, service, or network is overwhelmed with a flood of extra traffic from compromised machines—have become part of a greater attack scheme. Such powerful attacks are no longer conducted just to disrupt. DDo

The landmark regulation changed everyone’s mindset on how companies worldwide collect and use the personal data of EU citizens
The post 5 reasons why GDPR was a milestone for data protection appeared first on WeLiveSecurity
Article Link: 5 reasons why GDPR was a milestone for data protection | WeLiveSecurity
1 post - 1 participant
Read full topic
这项具有里程碑意义的规定改变了所有人对于全球企业如何收集和使用欧盟公民个人数据的看法
为什么 GDPR 是数据保护的一个里程碑，后5个原因首次出现在 WeLiveSecurity 上
文章链接: GDPR 成为数据保护里程碑的5个原因 | WeLiveSecurity
1名1岁以后的参与者
阅读完整主题

The Verizon 2022 Data Breach Investigations Report is out. We are proud to collaborate as a supporting contributor to this year’s data efforts once again and to have contributed for the past 8 years. The report provides interesting analysis of a full amount of global incident data.
Several things stand out in the 2022 report:
Ransomware challenges continue to mount — “Ransomware’s heyday continues, and is present in almost 70% of malware breaches this year.”
Social engineering became an overwhelming problem this past year, highlighting the surge in repeated cybercrime tactics — 1. “The human element continues to be a key driver of 82% of breaches and this pattern captures a large percentage of those breaches.” 2. “Actor Motives: Financial (89%), Espionage (11%).”
APT activity continues to be high, was underreported in the past, and while it possibly continues to be underreported, its reporting is increasing: “Financial has been the top motive since we began to track it in 2015. However, that same year the ris

Ransomware does what the name implies: holds your files or network to ransom. Pay the authors, typically in cryptocurrency, and you may get your files back. Refuse, and the files could be lost forever or even leaked to the far corners of the net.
Sometimes creators of ransomware try different things. In this case, a proof of concept called GoodWill ransomware’s approach is to force victims into performing seemingly nice tasks instead of pay a ransom.
Hunting for GoodWill
GoodWill ransomware functions like any other, at least in terms of basic functionality. It encrypts the most common file types: videos, documents, photos, databases. Without the decryption key, you won’t be able to recover your locked files.
There’s one key difference, however. The people behind this attack want victims to get out there and do some public good. Perform three good deeds, and you get your files back. That’s right: No cryptocurrency payment, no gift card codes required.
Hoop jumping as kindness
Things quickly become a bit distur

The Senate Homeland Security Committee on Wednesday easily approved legislation that would require the Homeland Security Department to participate in cyber information sharing agreements with Congress.
The panel decided by voice vote during a business meeting to advance the Intragovernmental Cybersecurity Information Sharing Act, which would ensure that administrative officials in booth chambers — including the Senate’s Sergeant at Arms and the House’s Chief Administrative Officer — receive “direct and timely” information about existing digital threats and network vulnerabilities from the executive branch.
“We all know about this persistent and growing threat and this bill’s another step, in my view, in the right direction to help provide a united defense against these various state and non-state actors,” Sen. Rob Portman (Ohio), the panel’s top Republican and lead sponsor on the bipartisan measure, said at the start of the session.
The legislation, which now heads to the Senate floor for a vote, is the lates

Overview
Researchers from Sonatype last week reported on a supply chain attack via a malicious Python package ‘pymafka’ that was uploaded to the popular PyPI registry. The package attempted to infect users by means of typosquatting: hoping that victims looking for the legitimate ‘pykafka’ package might mistype the query and download the malware instead.
While typosquatting may seem like a rather hit-and-miss way to infect targets, it hasn’t stopped threat actors from trying their luck, and it’s the second such attack we’ve seen in recent weeks using this method. Last week, SentinelLabs reported on CrateDepression, a typosquatting attack against the Rust repository that targeted macOS and Linux users.
Both attacks also made use of red-teaming tools to drop a payload on macOS devices that ‘beacons’ out to an operator. In the case of ‘pymafka’, the attackers further made use of a very specific packing and obfuscation method to disguise the true nature of the Mach-O payload, so specific in fact that we’ve only se

Hundreds of people are stranded at airports across India after the SpiceJet airline reported on Wednesday that it was hit with a ransomware attack.
The company told The Record that the incident impacted several flights, particularly at airports where there are restrictions on night operations.
“While our IT team has to a large extent contained and rectified the situation, this has had a cascading effect on our flights leading to delays,” a SpiceJet spokesperson said. “SpiceJet is in touch with experts and cyber crime authorities on the issue.”
SpiceJet publicly confirmed the ransomware attack on Twitter, but dozens of customers responded with complaints about the company’s response to the issue. Several said they were stranded at airports, and some had even boarded flights before being told the planes could not take off because of technical issues. The company later admitted that some flights were being cancelled because of the attack.
Many of the company’s web pages also were not working as of Wednesday afte

Article Link: Malware Triage Tips: How To Stop Wasting Time in IDA On Packed Samples [ Twitch Clip ] - YouTube
1 post - 1 participant
Read full topic
文章链接: 恶意软件分类提示: 如何停止浪费时间在 IDA 打包样本[抽搐剪辑]-YouTube
1名1岁以后的参与者
阅读完整主题

The Cybersecurity and Infrastructure Security Agency (CISA) added 41 vulnerabilities to its catalog of known exploited bugs this week, one of the largest batches of additions to the list since CISA began compiling it in November.
Dozens of the vulnerabilities are years old and federal civilian agencies have been given until June 13 and 14 to apply the patches or disconnect the ones that are end-of-life.
The list includes bugs in products from Microsoft, Apple, Adobe, Whatsapp, Mozilla, Google, Cisco, Kaseya, Artifex and QNAP.
CISA puts the list together based on evidence of active exploitation, noting that the vulnerabilities listed are “a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.” Andrew Hay, COO at cybersecurity firm LARES Consulting, said CISA likely received intelligence, or perhaps monitored actual activity, which indicates that the vulnerabilities added need to be patched immediately.
Kevin Breen, director of Cyber Threat Research at Immersive

By: Jason Reaves and Joshua Platt
SocGholish AKA FAKEUPDATES was first reported in 2017. While the initial analysis and reporting did not gain much attention, over time the actor(s) behind the activity continued to expand and develop their operations. Partnering with Evil Corp, the FAKEUPDATE / SOCGHOLISH framework has become a major corporate initial access vector. The threat actor(s) behind the framework have strong underground connections, demonstrated through their partnership with Evil Corp and signify thoroughly vetted cyber criminal activity. Threat attackers utilizing the framework represent significant risk to global corporations and have demonstrated top tier penetration testing abilities. According to the FBI, typical losses attributed to their activity span 1 to 40 million dollars per event[1].
Most public reporting on SocGholish revolves around the usage of fake software updates either through drive-by downloads or through links in email spam. However as we will demonstrate in this report they ha

A hearing the committee held leading up to the bill’s markup focused on a shortage of procurement officials in the federal workforce, which an industry witness said could be addressed if it weren’t for inflexible ethics rules.
Article Link: Senate Homeland Clears Bill to Avoid Conflicts of Interest in Federal Contracting - Nextgov
1 post - 1 participant
Read full topic
该委员会举行了一场听证会，为该法案的通过做准备。听证会的焦点是联邦政府采购官员短缺的问题。一位行业证人表示，如果没有僵硬的道德规范，这个问题可以得到解决。
文章链接: 美国国土参议院通过法案避免 Federal Contracting-Nextgov 利益冲突
1名1岁以后的参与者
阅读完整主题

Automating Azure Abuse Research — Part 1
Intro
Back in February of 2020 Karl Fosaaen published a great blog post about abusing Managed Identity (MI) assignments, specifically those assigned to a Virtual Machine running in Azure. Karl’s blog outlines the scenarios in which privilege escalation may be possible by first executing commands on the VM, then getting a token for the VM’s MI via the Instance Metadata Service (IMDS) token acquisition endpoint.
On May 15th, Marius Sandbu published a blog post where he talks about responding to an incident where a real adversary was abusing this exact scenario.
The scenario and PoC code Karl provided recently piqued my interest for a few reasons:
Karl mentions in his post that executing commands on an Azure VM requires a certain role (Contributor or Owner). I want to understand this at a deeper level, especially with the possibility of people creating their own custom Azure roles.
I want to audit the atomic permissions in Azure roles and validate which permissions actual

President Joe Biden has chosen a senior U.S. Cyber Command official to be next chief of the Air Force’s information warfare branch, the latest in a series of moves among top cybersecurity leaders within the military services.
Defense Secretary Lloyd Austin on Wednesday announced that Biden had tapped Air Force Maj Gen. Kevin Kennedy — who has served Cyber Command’s director of operations since 2020 — to receive his third star and become the next head of the 16th Air Force (Air Forces Cyber).
If confirmed by the Senate, Kennedy would replace Lt. Gen. Timothy Haugh, who the president nominated to be Cyber Command’s new No. 2 and who could be confirmed to his new post as soon as this week.
Kennedy would manage a number of missions that the service consolidated into a single information warfare entity in 2019, including cyber and electronic warfare operations.
In his role as Cyber Command’s director of operations, Kennedy “plans, coordinates, integrates and conducts mission command of full-spectrum Department of 

On April 24, 2022, a privilege escalation hacking tool, KrbRelayUp, was publicly disclosed on GitHub by security researcher Mor Davidovich. KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn tools in attacks.
Although this attack won’t function for Azure Active Directory (Azure AD) joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable. Microsoft Defender for Identity detects activity from the early stages of the attack chain by monitoring anomalous behavior as seen by the domain controller. In addition, signals from Defender for Identity also feed into Microsoft 365 Defender, providing organizations with a comprehensive solution that detects and blocks suspicious network activities, malicious files, and other related components of this attack. Microsoft Defender Antivirus detects this attack tool as the malware family HackTool:MSIL/KrbUpRly.
Microsoft encourages customers to updat

The Conti ransomware gang has published all of the data it stole during a January attack on the government servers of Linn County, Oregon.
The group — which appears to be reorganizing itself, according to cybersecurity experts — released nearly 1,500 documents Wednesday. Linn County officials said they chose not to pay a ransom after realizing that they had backups and determining that the data was not particularly sensitive.
Darrin Lane, administrative officer for Linn County, told The Record that the attack began on the morning of Jan. 24 and that the county’s IT team immediately began shutting down systems in order to limit the damage.
The move was successful, and the county eventually realized that the attack was limited to two active directory domains. The attack brought down the government’s website, but several departments and offices were not affected, including the Sheriff’s Department or the Health Services Department.
“The attack did impact our Road Department servers and we did receive information

This afternoon, we informed the Lacework team of some difficult news related to a restructuring of our business. Openness is one of our core values at Lacework, so in the spirit of transparency with employees, customers, and partners, we are sharing our internal communication here:
—
Internal Lacework Confidential
Fellow Lacers:
Over the past several weeks and months, a seismic shift has occurred in both the public and private markets. While we do not have control of the environment around us, we do have a responsibility to control how we operate our business and make changes as needed to best position the company for continued and long-term success.
We are making some important changes to our team and our business. Today, we made the very difficult decision to say goodbye to some of our colleagues, as part of a restructuring and modification to the company plan. Today was our day to focus on those individuals. We delayed this broader notification in order to speak with those impacted Lacers one to one throug

TechSpective Podcast Episode 089 There is no such thing as perfect or invulnerable cybersecurity. The goal of cybersecurity is to raise the bar or cost of entry to make it as challenging as possible for threat actors, and to detect and identify new threats as quickly as possible. Given the sheer size of the threat [...]
The post Rajiv Kulkarni Talks about the Malware Analysis Pipeline appeared first on TechSpective.
The post Rajiv Kulkarni Talks about the Malware Analysis Pipeline appeared first on Security Boulevard.
Article Link: Rajiv Kulkarni Talks about the Malware Analysis Pipeline - Security Boulevard
1 post - 1 participant
Read full topic
没有完美的网络安全这回事。网络安全的目标是提高进入的门槛或成本，使威胁行为者尽可能具有挑战性，并尽快发现和识别新的威胁。考虑到威胁的绝对规模[ ... ]
后 Rajiv Kulkarni 关于恶意软件分析管道的演讲最早出现在 techremind 上。
后 Rajiv Kulkarni 谈到恶意软件分析管道最早出现在安全大道。
文章链接: Rajiv Kulkarni 谈论恶意软件分析管道安全大道
1名1岁以后的参与者
阅读完整主题

Speaking at the World Economic Forum in Davos, the CEO was upbeat about her company’s role in Russia, whilst a panel of experts tackled the issue of health data privacy.
Article Link: YouTube remains in Russia to be an independent news source: CEO | ZDNet
1 post - 1 participant
Read full topic
在达沃斯举行的世界经济论坛上，这位 CEO 对她的公司在俄罗斯的角色表示乐观，同时一个专家小组讨论了健康数据隐私问题。
文章链接: YouTube 在俄罗斯仍然是一个独立的新闻来源: CEO | ZDNet
1名1岁以后的参与者
阅读完整主题

Twitter has agreed to pay $150 million for violating a 2011 administrative order with the U.S. Federal Trade Commission over how it used the email addresses and phone numbers of its users for targeted advertising, the agency announced with the Department of Justice on Wednesday.
In a 20-page complaint filed Wednesday in the U.S. District Court for the Northern District of California, the DoJ alleged that from May 2013 to September 2019, Twitter asked users for their contact information to make their accounts more secure. The social media giant failed to tell users that it would also use the phone numbers and email addresses to help companies send targeted ads to them, the DoJ alleges.
The 2011 FTC order stated that Twitter “engaged in deceptive acts or practices” by misrepresenting how it handled user data, and that the company lacked reasonable safeguards to keep accounts and data secure. Additionally, the order barred Twitter from misrepresenting “the extent to which [it] maintains and protects the security

Article Link: InfoSec Handlers Diary Blog - SANS Internet Storm Center
1 post - 1 participant
Read full topic
文章链接: InfoSec 处理程序日志博客-SANS 互联网风暴中心
1名1岁以后的参与者
阅读完整主题

On the internet, the Domain Name System (DNS) is the way regular people access websites such as ESPN.com or BBC.com. However, the internet uses a unique series of Internet Protocol (IP) addresses to access websites which are tricky for humans to remember.  Web browsers typically interact with websites through IP addresses, and DNS translates websites into IP addresses so browsers can access Internet resources. Historically, this has been done in the form of unencrypted clear text that ISPs and security providers such as McAfee can read and act upon to sort through risky websites or to improve network performance and intelligence.
However, this also opens up vulnerabilities of security and privacy.  As an industry, (Apple, Microsoft, Google, and others) participants are moving toward encrypting this traffic to and from DNS servers with protocols such as DNS over TLS (DoT) and DNS over HTTPS (DoH). Unless the ISP offers DoT/DoH decryption (translation) capabilities, traffic could go directly to outside DNS prov

By Oliver Devane
Update: In the past 24 hours (from time of publication)  McAfee has identified 15 more scam sites bringing the total to 26. The combined value of the wallets shared on these sites is over $1,300,000 which is an increase of roughly $1,000,000 since this blog was last published. This highlights the scale of this current scam campaign. The table within this blog has been updated to include the new sites and crypto-wallets.
McAfee has identified several Youtube channels which were live-streaming a modified version of a live stream called ‘The B Word’ where Elon Musk, Cathie Wood, and Jack Dorsey discuss various aspects of cryptocurrency.
The modified live streams make the original video smaller and put a frame around it advertising malicious sites that it claims will double the amount of cryptocurrency you send them. As the topic of the video is on cryptocurrency it adds some legitimacy to the websites being advertised.
The original video is shown below on the left and a modified one which includ

This new version of pecheck.py, my tool to analyze PE files, brings some extra information on overlays:
pecheck-v0_7_15.zip (http)
MD5: 8D85E40E4770D9F29C08CBE3D7BE57F0
SHA256: 596848BC8BD03936604212E4CBE9545A03EE629BE6125D08A4E28068F1952961

Article Link: Update: pecheck.py Version 0.7.15 | Didier Stevens
1 post - 1 participant
Read full topic
我分析 PE 文件的工具 pecchk.py 的这个新版本带来了一些关于叠加的额外信息:
Pecheck-v0 _ 7 _ 15.zip (http)
5:8D85E40E4770D9F29C08CBE3D7BE57F0
256:596848BC8BD03936604212E4CBE9545A03EE629BE6125D08A4E28068F1952961

文章链接: 更新: pecheck.py Version 0.7.15 | Didier Stevens
1名1岁以后的参与者
阅读完整主题

This new version of re-search.py brings input & output encoding to option –encoding (this was input encoding only in prior versions).
re-search_V0_0_20.zip (http)
MD5: AA8091E9F9D7C639CDB3D71C842DE6C3
SHA256: 78290F2D06D29514C2BAF95BFE9EF95AF4DDE9798EA0EE27EB800DCF4D99786A

Article Link: Update: re-search.py Version 0.0.20 | Didier Stevens
1 post - 1 participant
Read full topic
这个新版本的 re-search.py 为选项编码带来了输入和输出编码(这只是以前版本中的输入编码)。
Research _ v0 _ 0 _ 20.zip (http)
5: AA8091E9F9D7C639CDB3D71C842DE6C3
256:78290F2D06D29514C2BAF95BFE9EF95AF4DDE9798EA0EE27EB800DCF4D99786A

文章链接: 更新: re-search.py Version 0.0.20 | Didier Stevens
1名1岁以后的参与者
阅读完整主题

尼日利亚警方于近日在拉各斯逮捕了网络犯罪团伙SilverTerrier的疑似头目。

一、实战化安全运营的困境 近年来，安全威胁态势日趋严峻，网络攻击呈现常态化。2021年12月爆出Log4j2漏
Read More

1. Setting up Vulnerable Application For AWS WAF
Continue reading on InfoSec Write-ups »
1. 为 AWS WAF 设置易受攻击的应用程序
继续阅读「资讯安全网专题报道」

Q. What is Core Rule Set & why it is utilized by all the cloud WAFs? A. We will try to understand more about the core rule set along with…
Continue reading on InfoSec Write-ups »
问:。什么是核心规则集? 为什么所有的云片都使用它？答:。我们将尝试了解更多关于核心规则集与..。
继续阅读「资讯安全网专题报道」

Based on OWASP Top-10 Vulnerabilities. This time we are looking for secure coding bugs related to Injection Flaws
Continue reading on InfoSec Write-ups »
基于 OWASP 的前10个漏洞。这一次，我们正在寻找与注入缺陷有关的安全编码错误
继续阅读「资讯安全网专题报道」

Q. What is Core Rule Set & why it is utilized by all the cloud WAFs? A. We will try to understand more about the core rule set along with…
Continue reading on InfoSec Write-ups »
问:。什么是核心规则集? 为什么所有的云片都使用它？答:。我们将尝试了解更多关于核心规则集与..。
继续阅读「资讯安全网专题报道」

Based on OWASP Top-10 Vulnerabilities. This time we are looking for secure coding bugs related to Injection Flaws
Continue reading on InfoSec Write-ups »
基于 OWASP 的前10个漏洞。这一次，我们正在寻找与注入缺陷有关的安全编码错误
继续阅读「资讯安全网专题报道」

Kubernetes 是一个开源容器编排系统，用于自动化软件部署、扩展和管理。Shadowserver 基金会开始扫描可访问的 Kubernetes API 实例，这些实例以 200 OK HTTP 响应对探测器进行响应。 “在我们能够识别的超过45万个API中，我们每天发现超过38万个允许某种形式的访问的 Kubernetes API。这些数据每天都会在我们的可访问Kubernetes API 服务器报告中共享。”， 扫描结果并不意味着这些服务器完全开放或容易受到攻击，它表明服务器具有“不必要地暴露攻击面”的情况。 它们扫描端口6443和443上的所有IPv4空间，并且仅包括响应200 OK（附带 JSON 响应）的Kubernetes服务器，因此在其响应中披露版本信息。2022-05-16的扫描结果发现 381,645 个唯一IP响应了探测的 200 OK HTTP 响应。 “这是我们看到的 454,729 个 Kubernetes API 实例中的一个。因此，“开放”API 实例构成了我们可以在 IPv4 互联网上扫描的所有实例的近 84%。” 数据安全公司 Comforte AG 的网络安全专家 Erfan Shadabi 表示，Shadowserver基金会扫描发现如此多的 Kubernetes 服务器暴露在公共互联网上，他并不感到惊讶。“White Kubernetes] 为企业提供了敏捷应用交付的巨大好处，有一些特点使其成为理想的攻击目标。例如，由于拥有许多容器，Kubernetes 有一个很大的攻击面，如果不预先保护，可能会被利用，”他说。   保护 Kubernetes Shadowserver基金会建议，如果管理员发现他们环境中的 Kubernetes 实例可以访问互联网，他们应该考虑实施“访问授权”，或者在防火墙级别进行阻止以减少暴露的攻击面。 Erfan Shadabi建议在其生产环境中使用容器和 Kubernetes 的组织应像对待 IT 基础设施的各个方面一样认真对待 Kubernetes。   转自 E安全，原文链接：https://mp.weixin.qq.com/s/WVM4giXIQmz4PxhSQlHTIQ 封面来源于网络，如有侵权请联系删除

微软发现，被称为XorDdos的Linux木马的网络犯罪活动正在增加，该报告发现，在过去六个月中，针对 Linux 端点使用该恶意软件的恶意活动增加了 254%，主要针对云、物联网。 该木马由安全研究组织 MalwareMustDie 于2014年首次发现，以其使用基于XOR的加密以及聚集僵尸网络执行分布式拒绝服务攻击的事实而得名。“XorDdos 描绘了恶意软件越来越多地针对基于Linux的操作系统的趋势，这些操作系统通常部署在云基础设施和物联网 (IoT) 设备上，”Redmond警告说。 为了说明这一趋势，Redmond 指出，在XorDdos恶意软件长达8年的恐怖统治过程中，它已经达到了惊人的水平，感染了无法估量设备。博客没有说。它也没有为 254% 的增长提供任何基线，微软表示要到下周中旬才会拥有它们。 Microsoft 365 Defender 研究团队写道：“由于多种原因，DDoS 攻击本身可能存在很大问题，但此类攻击也可以用作隐藏进一步恶意活动的掩护，例如部署恶意软件和渗透目标系统。”   与Linux僵尸网络同样危险的Windows 僵尸网络 以 Windows 设备为目标的 Purple Fox 恶意软件为例，该恶意软件也在 2018 年被发现。 Guardicore 安全研究人员最近写了一篇关于这个僵尸网络的恶意活动如何自 2020 年 5 月以来跃升 600%，仅在过去一年就感染了 90,000 多台设备的文章。但微软并没有在博客中提到这一点。 本周微软的安全情报团队确实警告过针对Linux和Windows系统的Sysrv moreno-mining僵尸网络的新变种。   XorDdos 如何逃避检测 微软指出该恶意软件使用安全外壳 (SSH) 暴力攻击来控制目标设备。一旦成功找到正确的根凭证组合，它就会使用两种方法之一进行初始访问，这两种方法都会导致运行恶意 ELF 文件——XorDdos 恶意软件。 据研究团队称，该二进制文件是用 C/C++ 编写的，其代码是模块化的。它使用特定的功能来逃避检测。 如上所述，其中之一是基于 XOR 的加密来混淆数据。此外，XorDdos 使用守护进程（这些是在后台运行的进程）来破坏基于进程树的分析。该恶意软件还使用其内核 rootkit 组件隐藏其进程和端口，从而帮助其逃避基于规则的检测。 此外，隐形恶意软件使用多种持久性机制来支

KNX-Bus-Dump是一款功能强大的KNX总线数据监听和分析工具，该工具使用了Calimero Java库来记录和监控所有通过KNX总线...

据调查，相较年初以来的稳定，ChromeLoader恶意软件的数量在本月有所上升，这将导致浏览器劫持成为一种普遍的威胁。ChromeLoader是一种浏览器劫持程序，它可以修改受害者的网络浏览器设置，以宣传不需要的软件、虚假广告，甚至会在搜索页面展示成人游戏和约会网站。威胁行为者将用户流量重定向到广告网站，通过营销联盟系统获得经济收益。虽然这类劫持者并不少见，但ChromeLoader因其持久性、数量和感染途径而脱颖而出，其中包括对滥用PowerShell。 今年2月以来，Red Canary 研究人员一直保持对ChromeLoader的追踪，据他说，劫持者使用恶意ISO存档文件来感染他们的受害者。ISO文件会被伪装成游戏或商业软件的破解可执行文件，所以受害者在不知情的情况下会从torrent或恶意网站下载它。研究人员还注意到，Twitter上有帖子推广破解的Android游戏，并提供二维码，这也会导致用户进入恶意软件托管网站。 当在Windows 10及以上版本操作系统双击ISO文件时，会将ISO文件挂载为虚拟光驱。这个ISO文件包含一个可执行文件，它使用“CS_Installer.exe”这样的名称，假装是一个游戏破解程序或keygen。 最后，ChromeLoader执行并解码PowerShell命令，从远程资源获取存档并加载为谷歌Chrome扩展。完成此操作后，PowerShell 将删除计划任务，使Chrome感染一个静默注入的扩展程序，该扩展程序劫持浏览器并操纵搜索引擎结果。 ChromeLoader恶意软件同时也针对macOS系统，意在同时操纵Chrome和Apple的Safari 网络浏览器。macOS上的感染链也类似，但威胁参与者使用DMG（Apple 磁盘映像）文件代替ISO，这是该操作系统上更常见的格式。不过macOS变体使用安装程序bash脚本下载并解压ChromeLoader扩展到“private/var/tmp”目录，而不是安装程序可执行文件。 为了保持持久性，macOS版本的ChromeLoader会在‘/Library/LaunchAgents’目录下追加一个首选项(‘ plist ‘)文件,这确保了每次用户登录到一个图形会话，且ChromeLoader的Bash脚本可以持续运行。 转自 Freebuf，原文链接：https://www.freebuf.co

某些WSO2产品允许不受限制地上传文件，从而执行远程代码。以WSO2 API Manager 为例，它是一个完全开源的 API 管理平台。

2022年4月中旬，客户反馈收到以工资补贴相关为诱饵的钓鱼邮件。邮件附件为doc文档，其中包含一个二维码（如下图所示）。扫描二维码后，将跳转到钓鱼链接

Bleeping Computer 网站披露，美国联邦贸易委员会（FTC）将对推特处以 1.5 亿美元巨额罚款，原因是该公司将收集到的电话号码和电子邮件地址，用于定向广告投放。 根据法庭披露出的信息来看，自 2013 以来，Twitter 以保护用户账户为理由，开始要求超过了 1.4 亿用户提供个人信息，但并没有告知用户这些信息也将允许广告商向其投放定向广告。 推特此举违反了联邦贸易委员会法案和 2011 年委员会行政命令，这些法案明确禁止了该公司歪曲隐私和安全做法，并从欺骗性的收集数据中获利。 据悉，早在 2009 年 1 月至 5 月期间，在黑客获得推特的管理控制权后，该公司未能保护用户的个人信息，行政命令随之颁布。 推特遭受巨额罚款 FTC 主席 Lina M. Khan 表示，Twitter 以进行安全保护为由，从用户处获得数据，但最后也利用这些数据向用户投放广告，这种做法虽然提高了 Twitter 的收入来源，但也影响了超过 1.4 亿 Twitter 用户，1.5 亿美元的罚款侧面反映了 Twitter 这一做法的严重性。 美国检察官 Stephanie M. Hinds 强调，为防止威胁用户隐私，今后将实施大量新的合规措施，联邦贸易委员会拟议命令的其他条款包括以下几条： 1. 禁止 Twitter 从欺骗性收集的数据中获利； 2. 允许用户使用其他多因素身份验证方法，比如不需要用户提供电话号码的移动身份验证应用程序或安全密钥； 3. 通知用户 ，twitter 滥用了为帐户安全而收集的电话号码和电子邮件地址，以并提供有关  Twitter  隐私和安全控制的信息； 4. 实施和维护全面的隐私和信息安全计划，要求公司检查和解决新产品的潜在隐私和安全风险； 5. 限制员工访问用户的个人数据； 6. 如果公司遇到数据泄露，需立刻通知 FTC。 目前，推特已同意与联邦贸易委员会达成和解，支付 1.5 亿美元的民事罚款，并对使用用户信息进行广告盈利事件道歉。 除此之外，在联邦法院批准和解后，推特也将实施新的合规措施以改善其数据隐私做法。 类似案件 2018 年也发生了非常相似的事情，当时 Facebook 为其所有用户构建了复杂的广告配置文件，从用户的 2FA 电话号码到从其朋友个人资料中收集的信息，应有尽有。 后来，Facebook 使用用户的 2FA 电话号码作为附加载体，投放有针对性的广告。 转自 Fr

Retrieves values from JSON objects for data binding

相较年初以来的稳定，ChromeLoader恶意软件的数量在本月有所上升。

因欺诈性广告，美国联邦贸易委员会 （FTC）将对推特处以 1.5亿美元巨额罚款。

火线沙龙第25期-云原生应用安全专场
https://zone.huoxian.cn/d/1206-25
k8s常见组件配置不当利用记录
https://zone.huoxian.cn/d/1207-k8s
超过 38 万个开放的 Kubernetes API 服务器
https://www.shadowserver.org/news/over-380-000-open-kubernetes-api-servers/
自动化的 Azure 滥用研究 - 第一部分
https://securityboulevard.com/2022/05/automating-azure-abuse-research-part-1/
保护你的 AWS 环境安全的 6 个技巧
https://securityboulevard.com/2022/05/6-tips-for-successfully-securing-your-aws-environment/
了解容器安全 - 第二部分：安全建议
https://containerjournal.com/features/understanding-container-security-part-two-security-recommendations/
查看历史云安全技术资讯可以访问：
https://cloudsec.huoxian.cn/docs/information

最近在做一些安服项目，随便挖了一些漏洞，系统功能点太少，导致只有一些小的漏洞点，领导不是很满意，随后就有了以下内容。希望大家能从文中学到点知识，来应付工作压力。

我这边将近一年没做过app的渗透项目了，然后发现部分请求或关键参都做...

腾讯课堂《SQLite数据库逆向分析》