Cybersecurity information flow

3 月 22 日，FreeBuf 企业安全俱乐部·北京站在北京希尔顿逸林酒店隆重举行。

Judging Management System v1.0 - Remote Code Execution (RCE)

rconfig 3.9.7 - Sql Injection (Authenticated)

Spitfire CMS 1.0.475 - PHP Object Injection

Senayan Library Management System v9.0.0 - SQL Injection

Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)

CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path

qubes-mirage-firewall  v0.8.3 - Denial Of Service (DoS)

WooCommerce v7.1.0 - Remote Code Execution(RCE)

ASKEY RTF3505VW-N1 - Privilege Escalation

EQ Enterprise management system v2.2.0 - SQL Injection

The release repo for "Vicuna: An Open Chatbot Impressing GPT-4"

市场监管总局、中央网信办、工业和信息化部、公安部就开展国家统一推行的网络安全服务认证工作提出以下意见。

企业在实施零信任安全体系中可能遇到哪些挑战和困难？在混合云和多云环境中，如何利用零信任模型来保证云环境业务的安全性？

Bitter（蔓灵花）是一个长期活跃的南亚网络间谍组织，主要针对能源和政府部门实施敏感资料窃取等恶意行为，过去曾攻击过巴基斯坦、中国、孟加拉、沙特阿拉伯等国，具有明显的政治背景。

On 30 March, simultaneous actions were carried out in Brazil with Europol’s support to dismantle the criminal group that reached from Paraguay to Europe. A total of 15 individuals were arrested, and over EUR 80 million worth of assets were seized.  Over the course of the investigation, over 17 tonnes of cocaine linked to this criminal organisation were seized, with…
Article Link: 15 arrested in Brazil over 17 tonnes of cocaine worth billions | Europol
1 post - 1 participant
Read full topic

Today, cybercriminals are more sophisticated than ever and tend to exploit the weakest point of organizations to gain unauthorized access to their systems. Any vulnerabilities or misconfigurations provide an easy entry point for attackers. As a result, the security posture of any organization is only as strong as its weakest link.
Article Link: Top 10 Security Risks: Vulnerabilities, Misconfigurations, and User Behavior to Avoid
1 post - 1 participant
Read full topic

On the 31st of October 2022, a PR on CrackMapExec from Thomas Seigneuret (@Zblurx) was merged. This PR fixed Kerberos authentication in the CrackMapExec framework. Seeing that, I instantly wanted to try it out and play a bit with it. While doing so I discovered a weird behaviour with the Protected Users group. In this blogpost I’ll explain what the Protected Users group is, why it is a nice security feature and yet why it is incomplete for the Administrator (RID500) user.

Elastic Security detection content for Endpoint

A curated list of awesome YARA rules, tools, and people.

免费的 ChatGPT 镜像网站列表，持续更新。List of free ChatGPT mirror sites, continuously updated.

For the latest discoveries in cyber research for the week of 27th March, please download our Threat_Intelligence Bulletin TOP ATTACKS AND BREACHES New victims of Clop ransomware gang that leveraged for the attack purpose a zero-day security flaw (CVE-2023-0669) in the Fortra GoAnywhere Managed File Transfer system were disclosed. Among those are the American luxury […]
The post 27th March – Threat Intelligence Report appeared first on Check Point Research.

Key Takeaways Background What causes a man to wake up one day and say, “I’m going to build my own malware and go sell it to cybercriminals on the dark web”? After all, the market is saturated with competitors, and the product is judged on the one sole metric of how many victims it has […]
The post Rhadamanthys: The “Everything Bagel” Infostealer appeared first on Check Point Research.

FirmAE 是一个执行仿真和漏洞分析的全自动框架。FirmAE 使用五种仲裁技术显著提高仿真成功率（从Firmadyne的 16.28% 提高到 79.36%）。

作者：billion@知道创宇404实验室
时间：2023年3月31日  
parse-server公布了一个原型污染的RCE漏洞，看起来同mongodb有关联，so跟进&&分析一下。
BSON潜在问题
parse-server使用的mongodb依赖包版本是3.6.11，在node-mongodb-drive <= 3.7.3 版本时，使用1.x版本的bson依赖处理...

国防部首席信息安全官Sherman指出，美国军方将在2027年全面实施零信任。

Free ChatGPT Site List 这儿为你准备了众多免费好用的ChatGPT镜像站点，当前100+站点

CodeMirror component for Vue3

Python模块注入技术简析