Skip to content

安全通報:LiteLLM RCE 弱點鏈

關鍵威脅警訊:LiteLLM Proxy RCE 弱點鏈

多個弱點(SQLi、SSTI 及指令注入)已被揭露,攻擊者可藉此完全控制受影響之 LiteLLM 實例。

漏洞摘要

建議 ID類型權限需求嚴重程度
GHSA-r75f-5x8p-qvmcSQL 注入 (SQL Injection)未經授權關鍵 (9.3)
GHSA-xqmj-j6mv-4862模板注入 (SSTI)需要驗證高 (High)
GHSA-v4p8-mg3p-g94g指令執行 (Command Execution)需要驗證高 (High)

 

修復建議

受影響版本: v1.81.16 – v1.83.6

建議行動: 務必立即升級至 v1.83.7-stable 或更高版本。

網路獵捕 (runZero 查詢指令)

透過搜尋特定 HTTP 標頭與 HTML 標題來識別暴露的 LiteLLM 實例:

_asset.protocol:http AND protocol:http AND (html.title:=”LiteLLM%” OR last.html.title:=”LiteLLM%”)

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Google Workspace 網域切換遷移策略

在 Google Workspace 中執行網域切換是一項結構性任務。與標準遷移不同,網域身分必須即時從一個租戶釋放並由另一個租戶擷取。這需要一條零延遲的執行路徑.

架構轉捩點: 由於一個網域不能同時存在於兩個租戶中,身分識別必須暫時遷移至臨時網域,以便釋放主網域並在目標端重新驗證。
 

6 階段執行路線圖

  • 大規模數據灌入: 將大部分數據從來源端遷移至目標端的臨時準備網域,以縮減正式切換時的數據量。
  • 身分識別剝離: 使用 GAM 將所有來源端用戶從主網域更名至臨時次要網域。
  • 網域擷取: 將主網域從來源端釋放,並立即在目標端租戶完成驗證。
  • 最終對齊: 將目標端用戶從臨時地址更名回永久的主網域身分。
  • MX 切換與增量同步: 更新郵件路由指向,並執行最後的 Delta 同步以捕捉剩餘的郵件。
  • 安全緩衝期: 來源端租戶保留 30 天,作為唯讀的安全網以應對邊緣案例。
警告:「網域使用中」錯誤通常是由單個被遺忘的別名或群組引起的。對來源端環境進行自動化審計至關重要。

關於 CloudM

CloudM是專為Microsoft 365及Google Workspace設計的管理平台。它能簡化IT管理,核心功能包括:將資料順暢遷移上雲、自動化處理員工入職與離職流程,以及安全地備份和封存數據。其目標是為企業節省時間、降低錯誤,並高效運用雲端資源。

About Version 2

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Glasswing 範式:AI 資安防禦戰略

Glasswing 範式

在自主攻擊鏈時代,實現規模化的資安防禦

Project Glasswing 是 Anthropic 耗資 1 億美元的防禦倡議,利用尚未公開的 Claude Mythos 模型在全球基礎設施中識別並修補漏洞,以防對手將相同的 AI 能力武器化。

Mythos 的衝擊:機器速度下的漏洞發現

Claude Mythos 識別出了那些經歷過數十年專家人工審查、以及數百萬次自動化探測仍倖存下來的漏洞。

目標軟體漏洞潛伏時間營運衝擊
OpenBSD27 年底層記憶體損壞風險。
FFmpeg16 年逃過 500 萬次以上自動化探測的遠端漏洞。
FreeBSD17 年未經身分驗證的 Root 權限遠端執行。
「Mythos 發現了潛伏 27 年的人工審查死角。這類能力擴散的時間尺度是『月』,而非『年』。」

精實團隊的絕對優勢

規模並不能解決資安問題,反而會使其複雜化。當大型 SOC 為碎片化數據與 25% 的年度離職率掙扎時,精實團隊憑藉卓越的營運紀律與證據導向的工作流脫穎而出。

可解釋性AI 告警必須直接連結到原始日誌事件,以供分析師獨立驗證。

背景基準偏離值只有在與「正常行為」對比時才有意義。

受限自主權自動化回應僅在人類定義的護欄內運行。

利用 Graylog 實現韌性營運

Graylog 是為實戰資安團隊量身打造的。透過將 AI 嵌入到可觀測、證據豐富的工作流中,我們提供了現代威脅偵測所需的速度與問責架構。

 

關於 Graylog
Graylog 通過完整的 SIEM、企業日誌管理和 API 安全解決方案,提升公司企業網絡安全能力。Graylog 集中監控攻擊面並進行深入調查,提供卓越的威脅檢測和事件回應。公司獨特結合 AI / ML 技術、先進的分析和直觀的設計,簡化了網絡安全操作。與競爭對手複雜且昂貴的設置不同,Graylog 提供強大且經濟實惠的解決方案,幫助公司企業輕鬆應對安全挑戰。Graylog 成立於德國漢堡,目前總部位於美國休斯頓,服務覆蓋超過 180 個國家。

關於 Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Quantum Key Distribution (QKD) Technical Overview

2025-12-09  Real-time log encryption is now essential because logs contain sensitive data and serve as blueprints for sophisticated attackers like APTs and ransomware groups. Following incidents like the Salesforce third-party breach, organizations must treat logs as critical assets requiring protection from the moment they’re created. This proactive approach, exemplified by solutions like Penta Security’s D.AMO, neutralizes damage if storage is compromised and enhances threat detection by preventing attackers from analyzing unencrypted system architecture and account patterns.

Continue reading

ESET Research: New NGate hides in NFC payment app, possibly built with AI

  • ESET researchers discovered a new NGate malware variant abusing the legitimate Android HandyPay application.
  • To trojanize HandyPay, threat actors most likely used GenAI.
  • The campaign has been ongoing since November 2025 and targets Android users in Brazil.
  • ESET investigated two NGate samples being distributed in the attacks: one via a fake lottery website, the other through a fake Google Play website.

BRATISLAVAApril 21, 2026 — ESET Research has discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI generated. As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use them for contactless ATM cash-outs and unauthorized payments. Additionally, the code can capture the victims’ payment card PINs and exfiltrate them to the operators’ C&C server. The primary targets of this are users in Brazil; however, NFC-based attacks are expanding into new regions.

The malicious code used to trojanize HandyPay shows signs of having been produced with the help of GenAI tools. Specifically, the malware logs contain an emoji typical of AI-generated text, suggesting that LLMs were involved in generating or modifying the code, although definitive proof remains elusive. This fits a broader trend in which GenAI lowers the barrier to entry for cybercriminals, enabling threat actors with limited technical skill to produce workable malware.

ESET Research believes that the campaign distributing the trojanized HandyPay began around November 2025 and remains active. It should also be noted that the maliciously patched version of HandyPay has never been available on the official Google Play store. As an App Defense Alliance partner, we shared our findings with Google. ESET also reached out to the HandyPay developers to alert them about the malicious use of their application.

As the number of NFC threats keeps rising, so too has the ecosystem supporting them become more robust. The first NGate attacks employed the open-source NFCGate tool to facilitate the transfer of NFC data. Since then, several malware-as-a-service (MaaS) offerings with similar functionality have become available for purchase. However, in this campaign the threat actors decided to go with their own solution and maliciously patched an existing app – HandyPay.

“Why did the operators of this campaign decide to trojanize the HandyPay app instead of going with an established solution for relaying NFC data? The answer is simple: money. The subscription fees for existing MaaS kits run in the hundreds of dollars: NFU Pay advertises its product for almost US$400 per month, while TX-NFC goes for around US$500 per month. On the other hand, the legitimate HandyPay app is significantly cheaper, only asking for a €9.99 per month donation, if even that. In addition to the price, HandyPay natively does not require any permissions, only to be made the default payment app, helping the threat actors avoid raising suspicion,” says ESET researcher Lukáš Štefanko, who discovered the new NGate variant in the trojanized NFC payment app.

The first new NGate sample is distributed through a website that impersonates Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization (Loterj). The second NGate sample is distributed via a fake Google Play web page as an app named Proteção Cartão (machine translation: Card Protection). Both sites were hosted on the same domain, strongly implying a single threat actor. The malware abuses the HandyPay service to forward NFC card data to an attacker-controlled device. Apart from relaying NFC data, the malicious code also steals payment card PINs, enabling the threat actor to use the victim’s payment card data to withdraw cash from ATMs.

For a more detailed analysis of the new NGate variant, check out the latest ESET Research blog post, “New NGate variant hides in a trojanized NFC payment app,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Geographical distribution of NGate attacks from January 2025 to February 2026

Map of the geographical distribution of NGate attacks from January 2025 to February 2026

 

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×