Aggregator

本周，互联网网络安全态势整体评价为良。

HackerNews 编译，转载请注明出处： 赫尔辛基2024年发生的数据泄露事件影响了超过30万人的敏感个人信息，为网络安全专业人士提供了宝贵的教训。 芬兰安全调查局 (SIAF/OTKES) 对这起事件进行了长达一年的调查，并于2025年6月17日发布了技术报告。 芬兰国家网络安全中心（NCSC-FI）高级专家马蒂亚斯·梅西娅 (Matias Mesia) 领导了该机构的任务小组，协助赫尔辛基从泄露事件中恢复。 在6月23日于哥本哈根举行的FIRSTCON会议上，他分享了关于该事件的见解以及用于遏制和缓解泄露的策略，为面临类似网络安全挑战的其他人提供了实用指导。 关于赫尔辛基2024年数据泄露的见解 赫尔辛基拥有约4万名员工和4-5亿欧元（4.6-5.8亿美元）的预算，它不仅是芬兰的首都和最大城市（2025年3月吸引了全国12%的人口，即686,595名居民），也是该国最大的雇主。 4月30日晚上11点30分，赫尔辛基市有人向NCSC-FI报告了一起潜在的数据泄露事件。在次日（5月1日）早期媒体报道后，赫尔辛基于5月2日公开发布声明，确认泄露影响了该组织的教育部门（KASKO）。 在赫尔辛基市、NCSC-FI 以及一家私营数字取证和事件响应 (DFIR) 合作伙伴展开调查的数日内，受感染的设备被确认。这是一台由KASKO用作VPN连接接收路由器的思科ASA 5515防火墙设备。该硬件于2014年安装，最后一次更新是在2016年。2017年，负责该设备的人员离开了组织。 攻击者的作案手法也在调查早期被确认。攻击始于暴力破解，随后通过用户计算机与路由器之间的远程连接（利用思科AnyConnect软件）进行漏洞利用。设备崩溃后，攻击者（使用在暗网上找到的凭证登录）得以在内部系统中横向移动，并获得了对微软Active Directory、虚拟化服务器和备份服务器的特权访问权限，从而窃取数据。 赫尔辛基市很快意识到数据量相当巨大（约1000万份文件或2TB数据被盗），最初估计有12万人可能受影响，随后重新评估为15,000人，最终确定为超过30万人。 受害者范围广泛，包括城市雇员、儿童保育津贴申请人、私立学校工作人员、融合培训学生、2005年至2018年间出生的学生及其亲属等。 “然而，我们很早就知道没有密码被泄露，也没有收到勒索要求，”梅西娅在FIRSTCON的演讲中表示。 此外，至今未对事件进行归因。“警方仍在调查此案，”梅西娅在会后告诉Infosecurity。 NCSC-FI在事件响应过程中的角色 赫尔辛基数据泄露事件是NCSC-FI以最高参与级别（该机构称为“特殊案件”）处理的18起案件之一。 NCSC-FI于2024年5月9日开始协助赫尔辛基市，投入10至20名工作人员直至2024年6月，其中一半专注于技术修复，其余人员负责合规、沟通和数据泄露报告等各种任务。 在其各项贡献中，NCSC-FI为赫尔辛基市的调查提供建议，协助策划新闻发布会，提供定制场景，并于2024年5月底协调举办了一场专家研讨会，参与者包括芬兰各市镇的管理团队和安全专家。 2024年5月30日，NCSC-FI工作人员举行了一次内部“经验教训”会议，涵盖五个领域，后来形成了五份专题“经验教训”报告： 组织、协调与领导报告 案件协调报告 技术报告 法律报告 沟通报告 NCSC-FI成员继续向赫尔辛基市提供IT技术指导，直到6月底案件“平息下来”，正如梅西娅在FIRSTCON上所言。 “我们还发布了一份40页的文件，介绍如何创建高效的事件响应任务小组，”梅西娅补充道。 2024年7月，SIAF开始了自己的取证调查。 经验教训与未来发展 梅西娅在接受Infosecurity采访时分享了他在赫尔辛基案件中的三大收获： 涉及边缘设备（尤其是未打补丁或过时的设备）被入侵的网络事件应被视为严重事件。 组织应为事件响应和业务连续性流程做好后勤准备，包括确定要使用的通信工具以及建立操作模板。 组织应在任务小组中纳入各种不同背景的人员，包括有网络事件经验的人员和没有经验的人员。 此外，在演讲中，这位NCSC-FI高级专家分享了一些给事件响应者的个人建议： 保持聊天记录整洁——不发表情包，不闲聊。 合作并委派任务。 使用时间线，特别是向领导团队解释正在发生/已经发生的事情。 反复扫描您的网络。 在组织内部和公众中分享关于事件的信息——因为如果您不这样做，总会有人来填补信息真空。 谨慎处理信息。 尊重政治和媒体。 最后，梅西娅告诉Infosecurity，赫尔辛基事件促使NCSC-FI开发一个新的三级系统来评估网络事件，以确定该机构应投入多少精力（即应有多少NCSC-FI人员参与处理案件）。 该框架仍在开发中，但可能会将事件分为三个优先级： 中等优先级：由少数NCSC-FI工作人员处理。 高优先级：由最多10名NCSC-FI工作人员处理。 关键优先级：由超过10名NCSC-FI工作人员全力处理事件。 梅西娅宣布：“我认为明年在FIRSTCON上，我们可以准备一个很好的演示来介绍这个即将推出的框架。”       消息来源： infosecurity-magazine； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability classified as problematic has been found in syncfusion ej2-spreadsheet 27.2.2. Affected is the function lib.setValue. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). This vulnerability is traded as CVE-2024-57064. The attack needs to be done within the local network. There is no exploit available.

A vulnerability classified as problematic was found in dot-qs 0.2.0. Affected by this vulnerability is the function lib.parse. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). This vulnerability is known as CVE-2024-57067. The attack needs to be initiated within the local network. There is no exploit available.

A vulnerability, which was classified as problematic, was found in utile 0.3.0. This affects the function lib.createPath. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). This vulnerability is uniquely identified as CVE-2024-57065. Access to the local network is required for this attack to succeed. There is no exploit available.

A vulnerability has been found in ndhoule defaults 2.0.1 and classified as problematic. This vulnerability affects the function lib.deep. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). This vulnerability was named CVE-2024-57066. The attack needs to be approached within the local network. There is no exploit available.

A vulnerability classified as problematic has been found in NodeBB 3.11.0. This affects an unknown part of the component About Me Section. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2024-57041. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in php-date-formatter 1.3.6 and classified as problematic. Affected by this issue is the function lib. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). This vulnerability is handled as CVE-2024-57063. The attack can only be initiated within the local network. There is no exploit available.

A vulnerability was found in TOTOLINK A810R 4.1.2cu.5032. It has been rated as critical. This issue affects some unknown processing of the file downloadFile.cgi of the component HTTP Request Handler. The manipulation leads to command injection. The identification of this vulnerability is CVE-2024-57036. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as critical was found in WeGIA 3.2.0. Affected by this vulnerability is an unknown functionality of the file /controle/control.php. The manipulation of the argument nextPage leads to sql injection. This vulnerability is known as CVE-2024-57035. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in WeGIA up to 3.1.x. This affects an unknown part of the file query_geracao_auto.php. The manipulation of the argument Query leads to sql injection. This vulnerability is uniquely identified as CVE-2024-57034. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in WeGIA up to 3.1.x. It has been classified as problematic. Affected is an unknown function of the file documentos_funcionario.php. The manipulation of the argument dados_addInfo leads to cross site scripting. This vulnerability is traded as CVE-2024-57033. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in TOTOLINK X5000R 9.1.0cu.2350_B20230313. It has been declared as critical. This vulnerability affects the function setWiFiScheduleCfg. The manipulation of the argument desc leads to os command injection. This vulnerability was named CVE-2024-57025. The attack can be initiated remotely. There is no exploit available.

A vulnerability classified as critical has been found in WeGIA up to 3.1.x. Affected is an unknown function of the file controle/control.php. The manipulation of the argument senha_antiga leads to weak password recovery. This vulnerability is traded as CVE-2024-57032. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in WeGIA up to 3.1.x. Affected by this issue is some unknown functionality of the file /funcionario/remuneracao.php. The manipulation of the argument id_funcionario leads to sql injection. This vulnerability is handled as CVE-2024-57031. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in Wegia up to 3.1.x. Affected is an unknown function of the file /geral/documentos_funcionario.php. The manipulation of the argument ID leads to cross site scripting. This vulnerability is traded as CVE-2024-57030. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in TOTOLINK X5000R 9.1.0cu.2350_B20230313. It has been rated as critical. Affected by this issue is the function setWiFiScheduleCfg. The manipulation of the argument eMinute leads to os command injection. This vulnerability is handled as CVE-2024-57024. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Adobe Flash Player up to 11.2.202.457/13.0.0.281/17.0.0.169. It has been classified as critical. This affects an unknown part. The manipulation leads to race condition. This vulnerability is uniquely identified as CVE-2015-3081. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

近期威胁情报速览！

HackerNews 编译，转载请注明出处： 美国驻印度大使馆宣布，申请F类（学生签证）、M类（职业培训签证）及J类（访问学者签证）的非移民签证申请人须将其社交媒体账户设为公开状态。新规旨在协助官员依据美国法律核实申请人身份及入境资格，使馆强调“每项签证审查都是国家安全决策”。 即日起生效的强制要求规定：所有申请上述签证的印度学生、职业培训生及交流访问学者，必须在提交签证申请前将所有个人社交媒体账户隐私设置调整为“公开”，以便官方开展身份核验与入境许可审查。若拒绝公开账户，可能构成拒签依据。 使馆声明指出，美国自2019年起已要求移民/非移民签证申请人提供社交媒体标识符。审查过程中将运用任何“可用”信息甄别不符合入境条件者，包括威胁国家安全人员，但未具体说明审查细则。 该政策正在全球多国同步推行。例如美国驻墨西哥大使馆要求申请人申报近五年使用过的所有社交媒体账号。此次调整源于特朗普政府数周前指令——全球使领馆曾暂停学生签证预约以扩大社交媒体审查范围，上周国务院重启流程时新增账户公开审查要求。 国务院最终声明明确：“美国必须在签证发放过程中保持警惕，确保申请人无伤害美国公民及国家利益的意图，并能可信证明其符合签证资格及入境目的。”       消息来源： thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文