Trojanized WordPress Takaddun shaida Checker Checker Satar Shaida 390,000, An Gano Muhimman Rashin Mutunci a cikin Microsoft Azure MFA: Zagayen Tsaron Intanet ɗin ku
Trojanized WordPress Takaddun shaida Checker Checker Satar Takaddun shaida 390,000 a cikin Gangamin MUT-1244
Wani ƙwararren ɗan wasan barazana, wanda aka sa ido a matsayin MUT-1244, ya aiwatar da babban kamfen a cikin shekarar da ta gabata, ya yi nasarar satar bayanan WordPress sama da 390,000. Wannan aikin, wanda da farko ya yi niyya ga sauran masu yin barazana da kuma masu bincike na tsaro, jajayen teamers, da masu gwajin shiga, sun dogara da mai binciken shaidar shaidar WordPress da aka yi amfani da shi da ma'ajiya ta GitHub don yin sulhu da wadanda abin ya shafa.
Maharan sun yi amfani da mugun kayan aiki, “yawpp,” wanda aka yi talla a matsayin mai duba shaidar shaidar WordPress. Yawancin wadanda abin ya shafa, gami da masu yin barazana, sun yi amfani da kayan aiki don tabbatar da sahihancin sata, suna fallasa nasu tsarin da bayanansu ba da gangan ba. Tare da wannan, MUT-1244 ya kafa ma'ajin GitHub da yawa waɗanda ke ɗauke da fa'idodin tabbatar da ra'ayi na baya don sananne. vulnerabilities. An tsara waɗannan ma'ajin don bayyana halal, galibi suna mamaye amintattun abubuwan bayanan sirri kamar Feedly da Vulnmon. Wannan bayyanar sahihancin ya yaudari ƙwararru da ƴan wasan ƙeta a cikin aiwatar da malware, waɗanda aka isar da su ta hanyoyi daban-daban, gami da fayilolin sanyi na baya, Python droppers, fakitin npm na mugunta, da takaddun takaddun PDF.
Gangamin ya kuma hada da a mai leƙan asiri kashi. An yaudari waɗanda abin ya shafa don aiwatar da umarni don shigar da abin da suka yi imani shine sabuntawar microcode na CPU amma a zahiri malware ne. Da zarar an shigar da shi, malware ɗin ya tura duka mai hakar ma'adinan cryptocurrency da gidan bayan gida, yana ba maharan damar satar bayanai masu mahimmanci kamar maɓallan sirri na SSH, maɓallin shiga AWS, da masu canjin yanayi. Wanda aka sace bayanai Sannan an fitar da shi zuwa dandamali kamar Dropbox da file.io ta amfani da ƙwararrun takaddun shaida da ke cikin malware.
Masu Bincike Sun Bayyana Muhimman Rashin Lalacewa a cikin Microsoft Azure MFA, Ba da izinin karɓar Asusu
Masu binciken tsaro a Oasis Security sun gano wata mummunar rauni a cikin tsarin tabbatar da multifactor na Microsoft Azure (MFA) wanda ya basu damar ketare kariyar MFA da samun damar shiga asusun masu amfani mara izini cikin kusan awa daya. Laifin, wanda ya haifar da rashin ƙarancin ƙima akan yunƙurin MFA da ya gaza, ya bar sama da asusun Microsoft 400 miliyan 365 masu rauni ga yuwuwar sasantawa, fallasa mahimman bayanai kamar imel ɗin Outlook, fayilolin OneDrive, Hirar ƙungiyoyi, da sabis na Azure Cloud.
Ta hanyar cin gajiyar rauni, wanda aka yiwa lakabi da "AuthQuake," maharan na iya yin yunƙuri na lokaci guda, saurin yunƙuri don tantance lambar MFA mai lamba shida, wacce ke da yuwuwar haɗuwa miliyan 1. Rashin faɗakarwar mai amfani yayin yunƙurin shiga da bai yi nasara ba ya sa harin ya yi ɓarna da wahalar ganowa. Bugu da ƙari, masu bincike sun gano cewa tsarin Microsoft ya ba da damar lambobin MFA su kasance masu aiki na kusan mintuna uku-minti 2.5 sun fi tsayin daƙiƙa 30 da RFC-6238 ya ba da shawarar-yana ƙara yuwuwar zato mai nasara.
Ta hanyar gwajin su, masu bincike sun nuna cewa a cikin zaman 24 (kimanin mintuna 70), maharan za su sami fiye da kashi 50% na damar yin hasashen lambar daidai.
Rasha ta toshe Viber saboda zargin keta dokokin kasa
Hukumar kula da harkokin sadarwa ta kasar Rasha, Roskomnadzor, ta toshe manhajar saƙon Viber da aka ɓoye, saboda keta dokokin ƙasa. An zargi manhajar da ake amfani da ita a duk fadin duniya da kin bin ka’idojin da ke da nufin hana yin amfani da shi wajen ayyukan ta’addanci, tsatsauran ra’ayi, safarar muggan kwayoyi, da yada bayanan da ba su dace ba. Roskomnadzor ya ba da hujjar ƙuntatawa kamar yadda ya cancanta don rage waɗannan haɗari da kiyaye bin dokokin Rasha.
Viber, wanda ake samu akan dandamali na tebur da na wayar hannu, ya shahara sosai, tare da zazzagewa sama da biliyan 1 akan Shagon Google Play da gagarumin haɗin gwiwar mai amfani akan iOS. Sai dai kuma wannan matakin ya biyo bayan wasu matakai da hukumomin Rasha suka dauka na kai hari kan hanyoyin sadarwa na kasashen waje. A watan Yunin 2023, wata kotu a birnin Moscow ta ci tarar Viber miliyan 1 saboda gazawar ta na cire abin da aka yi wa lakabi da haramtaccen abun ciki, ciki har da kayan da ke da alaka da rikicin da Rasha ke ci gaba da yi a Ukraine. Rikicin da aka yi kan Viber ya yi daidai da takunkumin da Rasha ta sanya a kan ayyukan aika sako.
