Security news weekly round-up - 19th June 2026
Security news weekly round-up - 19th June 2026
安全新闻周报 - 2026年6月19日
Defenders don’t rest. They wake up every day thinking about how to protect the systems that they are charged to protect. Meanwhile, attackers are also looking for crafty ways to infect a system or break into computer networks. In the end, it’s good for everyone if defenders are always one step ahead of the attackers. 防御者从不休息。他们每天醒来都在思考如何保护自己所负责的系统。与此同时,攻击者也在寻找狡猾的方法来感染系统或入侵计算机网络。归根结底,如果防御者始终领先攻击者一步,这对每个人都有好处。
EvilTokens: A phishing attack that doesn’t steal your password
EvilTokens:一种不窃取密码的网络钓鱼攻击
A phishing attack that does not require creating fake login pages or stealing your passwords. I was speechless when I read the article’s title and deservedly so when I read how the attackers executed the attack. The following should get you started: EvilTokens is a phishing-as-a-service (PhaaS) kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow. As attacks that use the kit rely on device code phishing, they sidestep the need for convincing replicas of genuine login pages where the victims would hand over their passwords. Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page. 这是一种不需要创建虚假登录页面或窃取密码的网络钓鱼攻击。当我读到这篇文章的标题时,我感到无言以对,而当我读到攻击者如何执行该攻击时,这种反应更是理所应当。以下是入门信息:EvilTokens 是一种网络钓鱼即服务 (PhaaS) 工具包,旨在通过滥用 OAuth 2.0 设备授权许可流程来入侵 Microsoft 365 账户。由于使用该工具包的攻击依赖于设备代码钓鱼,它们避开了制作逼真的虚假登录页面来诱骗受害者提交密码的需求。相反,攻击者会让受害者在真实的微软登录页面上完成合法的身份验证过程——包括双重身份验证 (2FA)。
One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
一键式 Microsoft 365 Copilot 漏洞可能导致攻击者窃取电子邮件、文件和 MFA 代码
The good news is that MSFT mitigated the flaw. What’s left for tenant admins is to watch and contain. The interesting thing is how the researchers pulled off the attack. Here is what they did: Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it. The entry point is the q parameter in the Copilot Enterprise Search URL. It is meant for a natural-language query, but Copilot reads whatever sits there as instructions, not just a search string. Varonis calls this Parameter-to-Prompt injection. 好消息是微软已经修复了这个漏洞。租户管理员现在需要做的是监控和控制。有趣的是研究人员是如何实现这一攻击的。以下是他们的做法:Varonis Threat Labs 的研究人员将三个漏洞串联成一条他们称为“SearchLeak”的一键式数据外泄路径。由于该链接指向真实的 microsoft.com 域名,传统的反钓鱼和 URL 过滤工具很难将其标记出来。切入点是 Copilot 企业搜索 URL 中的 q 参数。它本意是用于自然语言查询,但 Copilot 会将其中包含的任何内容读取为指令,而不仅仅是搜索字符串。Varonis 将此称为“参数到提示词注入”(Parameter-to-Prompt injection)。
Low-skilled attacker used Claude, Codex to breach 14 companies
低技能攻击者利用 Claude 和 Codex 入侵 14 家公司
The barrier to entry into cybercrime has never been this low. And what’s reported in this article proves that. Also, you’ll expect that since the attacker is tagged a low-skilled attacker, that they will make rookie OPSEC mistakes, yes they did. From the article: “In many cases, the attacker supplied only vague, low-skill prompts and allowed Claude to fill in the gaps: researching exposed services, identifying possible vulnerabilities, writing exploit code, validating access, and harvesting data,” the researchers noted. “The attacker did not need to be an expert operator; they simply had to use the correct framing for their prompts. The agent supplied much of the structure and technical execution that the attacker appeared to lack.” 网络犯罪的准入门槛从未如此之低。这篇文章的报道证明了这一点。此外,你可能会认为,既然攻击者被标记为低技能,他们肯定会犯一些新手级的安全操作(OPSEC)错误,事实确实如此。文章指出:“在许多情况下,攻击者只提供了模糊、低水平的提示词,并让 Claude 来填补空白:研究暴露的服务、识别可能的漏洞、编写利用代码、验证访问权限以及收集数据,”研究人员指出。“攻击者不需要成为专家级操作员;他们只需要使用正确的提示词框架。AI 代理提供了攻击者似乎缺乏的大部分结构和技术执行能力。”
Massive breach spills credentials for thousands of sensitive networks
大规模泄露导致数千个敏感网络的凭据外泄
Just when you think: We are safe, we have firewalls and the big tech guys to protect our infrastructures. Then you read an article like this and you almost give up, thinking: Which system is safe? Here is what’s going on: “The scale of this breach touches nearly every sector of the global economy, sparing no industry,” researchers from Hudson Rock, a security firm that also analyzed the data, wrote. “The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.” 当你以为:我们很安全,我们有防火墙和大型科技公司来保护我们的基础设施。然后你读到这样一篇文章,几乎想要放弃,心想:到底哪个系统是安全的?情况是这样的:“这次泄露的规模触及了全球经济的几乎每个部门,没有哪个行业能幸免,”同样分析了这些数据的安全公司 Hudson Rock 的研究人员写道。“威胁行为者已经建立了一个包含全球一些最大企业有效凭据的验证数据库。”
Rokarolla Android trojan targets banking and crypto users, enables device takeover
Rokarolla Android 木马针对银行和加密货币用户,可实现设备接管
Android Trojans and their funny names are something else. The article’s title clearly states what the Trojan does. One thing that surprises me every time I read an article like this: given the amount of effort that the developers put into this malware, can’t they put the same effort into developing an application that they can somehow monetize? Or, something like that? I mean, read the following “Its malicious capabilities include harvesting lock screen credentials, exfiltrating sensitive contact lists and SMS data, and utilizing keyloggers to continuously record user input,” the researchers said. “Furthermore, the trojan actively conceals its operations and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect.” Android 木马及其滑稽的名字总是让人印象深刻。文章标题清楚地说明了该木马的功能。每次读到这类文章,我都会感到惊讶:考虑到开发者在这些恶意软件上投入的精力,他们难道不能把同样的精力投入到开发一个可以合法获利的应用程序上吗?或者类似的事情?我的意思是,读读下面这段话:“它的恶意功能包括窃取锁屏凭据、外泄敏感联系人列表和短信数据,并利用键盘记录器持续记录用户输入,”研究人员说。“此外,该木马还会通过拦截来电、部署欺诈性屏幕覆盖层、抑制设备音频和停用 Google Play Protect 来主动隐藏其操作并干扰用户干预。”
USB worm spreads crypto-stealing malware via Windows shortcut files
USB 蠕虫通过 Windows 快捷方式文件传播加密货币窃取恶意软件
I don’t know. At the end of the day, and most of the time, some malware are just after stealing something from an infected system. This is yet another example. From the article: The campaign has been active since at least February and relies on LNK (shortcut) files on USB drives to push clipper malware that monitors clipboard contents and replaces cryptocurrency wallet addresses with ones controlled by the attacker. Microsoft says that the infection process starts with the victim opening the LNK file, triggering the malware on the USB drive. Additional payloads are staged from a .ONION address. 我不知道该说什么。归根结底,大多数时候,一些恶意软件的目的仅仅是从受感染的系统中窃取东西。这又是另一个例子。文章称:该活动至少从二月份就开始活跃,依靠 USB 驱动器上的 LNK(快捷方式)文件来推送剪贴板劫持恶意软件,该软件会监控剪贴板内容,并将加密货币钱包地址替换为攻击者控制的地址。微软表示,感染过程始于受害者打开 LNK 文件,从而触发 USB 驱动器上的恶意软件。额外的有效载荷则从一个 .ONION 地址进行部署。
Credits Cover photo by Debby Hudson on Unsplash. That’s it for this week, and I’ll see you next time. 致谢 封面照片由 Debby Hudson 在 Unsplash 上提供。本周内容就是这些,我们下次再见。