{"id":4210,"date":"2026-03-18T17:12:36","date_gmt":"2026-03-18T09:12:36","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=4210"},"modified":"2026-03-18T17:46:45","modified_gmt":"2026-03-18T09:46:45","slug":"storm-2561-%e5%81%87%e5%86%92%e4%bc%81%e6%a5%ad%e7%b4%9a-vpn-%e5%ae%a2%e6%88%b6%e7%ab%af%e6%94%bb%e6%93%8a%ef%bc%9a%e6%a9%ab%e8%b7%a8%e5%a4%9a%e5%93%81%e7%89%8c%e4%be%9b%e6%87%89%e9%8f%88%e7%9a%84","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=4210","title":{"rendered":"Storm-2561 \u5047\u5192\u4f01\u696d\u7d1a VPN \u5ba2\u6236\u7aef\u653b\u64ca\uff1a\u6a6b\u8de8\u591a\u54c1\u724c\u4f9b\u61c9\u93c8\u7684\u5e33\u5bc6\u7aca\u53d6\u884c\u52d5"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"692\" height=\"515\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2026\/03\/image-2.png\" alt=\"\" class=\"wp-image-4211\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2026\/03\/image-2.png 692w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2026\/03\/image-2-300x223.png 300w\" sizes=\"auto, (max-width: 692px) 100vw, 692px\" \/><\/figure>\n\n\n\n<p>2026 \u5e74 3 \u6708\uff0cMicrosoft\u8cc7\u5b89\u7814\u7a76\u4eba\u54e1<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/12\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/\">\u63ed\u9732<\/a>\u4e00\u9805\u91dd\u5c0d\u4f01\u696d\u74b0\u5883\u7684\u7cbe\u5bc6\u653b\u64ca\u884c\u52d5\u3002\u5a01\u8105\u7d44\u7e54 <strong>Storm-2561<\/strong> \u900f\u904e\u6563\u4f48\u5047\u5192\u4f01\u696d\u7d1a VPN \u5ba2\u6236\u7aef\uff0c\u9396\u5b9a\u4f7f\u7528 Ivanti\u3001Cisco\u3001Fortinet \u7b49\u4e3b\u6d41\u89e3\u6c7a\u65b9\u6848\u7684\u4f01\u696d\u7528\u6236\uff0c\u9032\u884c\u5927\u898f\u6a21\u5e33\u5bc6\u7aca\u53d6\u3002<\/p>\n\n\n\n<p>\u672c\u6b21\u653b\u64ca\u4e26\u975e\u55ae\u9ede\u91dd\u5c0d\uff0c\u800c\u662f<strong>\u6a6b\u5411\u8986\u84cb\u591a\u5bb6<\/strong><strong> VPN <\/strong><strong>\u5ee0\u5546\u7684\u4f9b\u61c9\u93c8\u578b\u653b\u64ca\uff08Supply Chain-style Targeting<\/strong><strong>\uff09<\/strong>\uff0c\u986f\u793a\u653b\u64ca\u8005\u5c0d\u4f01\u696d\u9060\u7aef\u5b58\u53d6\u67b6\u69cb\u5177\u6709\u9ad8\u5ea6\u7406\u89e3\u3002<\/p>\n\n\n\n<p><strong>\u653b\u64ca\u5165\u53e3\uff1aSEO <\/strong><strong>\u6c61\u67d3\u52ab\u6301\u4f01\u696d\u4f7f\u7528\u8005\u884c\u70ba<\/strong><\/p>\n\n\n\n<p>\u653b\u64ca\u8005\u900f\u904e <strong>SEO <\/strong><strong>\u6c61\u67d3\uff08SEO Poisoning<\/strong><strong>\uff09<\/strong> \u64cd\u63a7\u641c\u5c0b\u7d50\u679c\uff0c\u91dd\u5c0d\u5e38\u898b\u95dc\u9375\u5b57\u5982\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pulse VPN download<\/li>\n\n\n\n<li>Pulse Secure client<\/li>\n<\/ul>\n\n\n\n<p>\u5c07\u60e1\u610f\u7db2\u7ad9\u63a8\u5347\u81f3\u641c\u5c0b\u7d50\u679c\u524d\u6bb5\uff0c\u5f15\u5c0e\u4f7f\u7528\u8005\u9032\u5165\u507d\u9020\u7684 VPN \u5b98\u65b9\u4e0b\u8f09\u9801\u9762\u3002<\/p>\n\n\n\n<p>\u9019\u4e9b\u91e3\u9b5a\u7db2\u7ad9\u9ad8\u5ea6\u4eff\u5192\u5408\u6cd5\u5ee0\u5546\u4ecb\u9762\uff0c\u4f7f\u4f7f\u7528\u8005\u5728\u6beb\u7121\u6212\u5fc3\u7684\u60c5\u6cc1\u4e0b\u4e0b\u8f09\u60e1\u610f\u7a0b\u5f0f\u3002<\/p>\n\n\n\n<p><strong>\u653b\u64ca\u7bc4\u570d\u64f4\u5927\uff1a\u591a\u54c1\u724c VPN <\/strong><strong>\u751f\u614b\u7cfb\u5168\u9762\u53d7\u6ce2\u53ca<\/strong><\/p>\n\n\n\n<p>\u6839\u64da\u5a01\u8105\u60c5\u5831\u5206\u6790\uff0c\u6b64\u653b\u64ca\u884c\u52d5\u6d89\u53ca\u7684\u54c1\u724c\u4e0d\u50c5\u9650\u65bc VPN \u5ba2\u6236\u7aef\u672c\u8eab\uff0c\u9084\u5305\u542b\u591a\u5bb6\u4f01\u696d\u7d1a\u8cc7\u5b89\u8207\u7db2\u8def\u8a2d\u5099\u5ee0\u5546\uff0c\u4f8b\u5982\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sophos<\/li>\n\n\n\n<li>SonicWall<\/li>\n\n\n\n<li>Check Point<\/li>\n\n\n\n<li>WatchGuard<\/li>\n<\/ul>\n\n\n\n<p>\u986f\u793a\u653b\u64ca\u8005\u4e26\u975e\u9396\u5b9a\u55ae\u4e00\u7522\u54c1\uff0c\u800c\u662f\u91dd\u5c0d\u6574\u9ad4\u4f01\u696d VPN \u4f7f\u7528\u65cf\u7fa4\u9032\u884c\u5ee3\u6cdb\u6ef2\u900f\u3002<\/p>\n\n\n\n<p><strong>\u653b\u64ca\u93c8\u89e3\u6790\uff1a\u5f9e\u5047\u4e0b\u8f09\u5230\u6301\u4e45\u5316\u63a7\u5236<\/strong><\/p>\n\n\n\n<p><strong>\u60e1\u610f\u4e0b\u8f09\u4f86\u6e90<\/strong><\/p>\n\n\n\n<p>\u53d7\u5bb3\u8005\u88ab\u5c0e\u5411 GitHub\uff08\u5df2\u4e0b\u67b6\uff09\u4e0a\u7684 ZIP \u58d3\u7e2e\u6a94\uff0c\u5167\u542b\u507d\u88dd\u6210 VPN \u7684 MSI \u5b89\u88dd\u7a0b\u5f0f\u3002<\/p>\n\n\n\n<p><strong>\u60e1\u610f\u5b89\u88dd\u884c\u70ba<\/strong><\/p>\n\n\n\n<p>\u57f7\u884c\u5f8c\uff0c\u7cfb\u7d71\u6703\u51fa\u73fe\u4ee5\u4e0b\u884c\u70ba\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5b89\u88dd Pulse.exe \u81f3\uff1a<\/li>\n<\/ul>\n\n\n\n<p>%CommonFiles%\\Pulse Secure<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u540c\u6b65\u690d\u5165\uff1a\n<ul class=\"wp-block-list\">\n<li>dwmapi.dll\uff08Loader\uff09<\/li>\n\n\n\n<li>inspector.dll\uff08Hyrax Infostealer \u8b8a\u7a2e\uff09<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>\u60e1\u610f\u529f\u80fd\uff1a\u5e33\u5bc6\u7aca\u53d6\u8207\u8a2d\u5b9a\u5916\u6d29<\/strong><\/p>\n\n\n\n<p>\u8a72\u5047 VPN \u5ba2\u6236\u7aef\u5177\u5099\u9ad8\u5ea6\u64ec\u771f\u4ecb\u9762\uff0c\u8a98\u5c0e\u4f7f\u7528\u8005\u8f38\u5165\u767b\u5165\u8cc7\u8a0a\uff0c\u4e26\u57f7\u884c\u4ee5\u4e0b\u60e1\u610f\u884c\u70ba\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u64f7\u53d6 VPN \u5e33\u865f\u8207\u5bc6\u78bc<\/li>\n\n\n\n<li>\u7aca\u53d6 VPN \u8a2d\u5b9a\u6a94\uff08connectionsstore.dat\uff09<\/li>\n\n\n\n<li>\u5c07\u8cc7\u6599\u56de\u50b3\u81f3\u653b\u64ca\u8005\u7684 C2\uff08Command-and-Control\uff09\u57fa\u790e\u8a2d\u65bd<\/li>\n<\/ul>\n\n\n\n<p>\u9019\u610f\u5473\u8457\u653b\u64ca\u8005\u4e0d\u50c5\u53d6\u5f97\u5e33\u5bc6\uff0c\u9084\u80fd\u638c\u63e1\u4f01\u696d VPN \u9023\u7dda\u8a2d\u5b9a\uff0c\u9032\u4e00\u6b65\u63d0\u5347\u5f8c\u7e8c\u5165\u4fb5\u6210\u529f\u7387\u3002<\/p>\n\n\n\n<p><strong>\u4fe1\u4efb\u6a5f\u5236\u6feb\u7528\uff1a\u5408\u6cd5\u6578\u4f4d\u7c3d\u7ae0\u7e5e\u904e\u9632\u8b77<\/strong><\/p>\n\n\n\n<p>\u8a72\u60e1\u610f\u7a0b\u5f0f\u4f7f\u7528\u7531 <strong>Taiyuan Lihua Near Information Technology Co., Ltd.<\/strong> \u7c3d\u767c\uff08\u73fe\u5df2\u64a4\u92b7\uff09\u7684\u5408\u6cd5\u6191\u8b49\u9032\u884c\u7c3d\u7ae0\u3002<\/p>\n\n\n\n<p>\u5176\u6548\u679c\u5305\u62ec\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7e5e\u904e Windows \u5b89\u5168\u8b66\u544a<\/li>\n\n\n\n<li>\u964d\u4f4e\u4f7f\u7528\u8005\u7591\u616e<\/li>\n\n\n\n<li>\u63d0\u9ad8\u60e1\u610f\u7a0b\u5f0f\u57f7\u884c\u6210\u529f\u7387<\/li>\n<\/ul>\n\n\n\n<p>\u9019\u518d\u6b21\u7a81\u986f\uff1a<\/p>\n\n\n\n<p><strong>\u6578\u4f4d\u7c3d\u7ae0\u672c\u8eab\u5df2\u6210\u70ba\u53ef\u88ab\u6b66\u5668\u5316\u7684\u4fe1\u4efb\u6a5f\u5236\u3002<\/strong><\/p>\n\n\n\n<p><strong>\u9ad8\u96b1\u853d\u6027\u8a2d\u8a08\uff1a\u4f7f\u7528\u8005\u5e7e\u4e4e\u7121\u611f\u88ab\u5165\u4fb5<\/strong><\/p>\n\n\n\n<p>\u70ba\u964d\u4f4e\u66b4\u9732\u98a8\u96aa\uff0c\u653b\u64ca\u6d41\u7a0b\u8a2d\u8a08\u4e86\u7cbe\u7d30\u7684\u63a9\u8b77\u6a5f\u5236\uff1a<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>\u507d VPN \u4ecb\u9762\u6b63\u5e38\u904b\u4f5c\u4e26\u6536\u96c6\u5e33\u5bc6<\/li>\n\n\n\n<li>\u986f\u793a\u5b89\u88dd\u932f\u8aa4\u8a0a\u606f<\/li>\n\n\n\n<li>\u5f15\u5c0e\u4f7f\u7528\u8005\u524d\u5f80\u5b98\u65b9\u7db2\u7ad9\u4e0b\u8f09\u6b63\u7248 VPN<\/li>\n\n\n\n<li>\u6b63\u7248 VPN \u53ef\u6b63\u5e38\u9023\u7dda<\/li>\n<\/ol>\n\n\n\n<p>\u7531\u65bc\u6700\u7d42 VPN \u53ef\u6210\u529f\u4f7f\u7528\uff0c\u591a\u6578\u4f7f\u7528\u8005\u6703\u5c07\u521d\u59cb\u5931\u6557\u6b78\u56e0\u65bc\u300c\u6280\u8853\u554f\u984c\u300d\uff0c\u800c\u975e\u8cc7\u5b89\u4e8b\u4ef6\u3002<\/p>\n\n\n\n<p><strong>\u6301\u4e45\u5316\u6a5f\u5236\uff1a\u78ba\u4fdd\u9577\u671f\u5b58\u6d3b<\/strong><\/p>\n\n\n\n<p>\u60e1\u610f\u7a0b\u5f0f\u6703\u900f\u904e Windows <strong>RunOnce <\/strong><strong>\u767b\u9304\u6a5f\u78bc<\/strong>\u5efa\u7acb\u6301\u4e45\u5316\u6a5f\u5236\uff0c\u4f7f Pulse.exe \u5728\u7cfb\u7d71\u91cd\u555f\u5f8c\u4ecd\u53ef\u57f7\u884c\uff0c\u78ba\u4fdd\u6301\u7e8c\u63a7\u5236\u53d7\u5bb3\u4e3b\u6a5f\u3002<\/p>\n\n\n\n<p><strong>\u8cc7\u5b89\u89c0\u9ede\uff1a\u5f9e\u5e33\u5bc6\u7aca\u53d6\u5230\u4f01\u696d\u6ef2\u900f\u7684\u7b2c\u4e00\u6b65<\/strong><\/p>\n\n\n\n<p>\u6b64\u985e\u653b\u64ca\u7684\u771f\u6b63\u76ee\u6a19\uff0c\u4e26\u975e\u55ae\u7d14\u7684\u5e33\u5bc6\u6536\u96c6\uff0c\u800c\u662f\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4f5c\u70ba\u4f01\u696d\u5167\u7db2\u6ef2\u900f\u7684\u521d\u59cb\u5165\u53e3\uff08Initial Access\uff09<\/li>\n\n\n\n<li>\u652f\u63f4\u5f8c\u7e8c\u6a6b\u5411\u79fb\u52d5\uff08Lateral Movement\uff09<\/li>\n\n\n\n<li>\u767c\u52d5\u8cc7\u6599\u5916\u6d29\u6216\u52d2\u7d22\u653b\u64ca<\/li>\n<\/ul>\n\n\n\n<p>\u7576 VPN \u6191\u8b49\u906d\u5230\u7aca\u53d6\uff0c\u653b\u64ca\u8005\u7b49\u540c\u53d6\u5f97\u300c\u5408\u6cd5\u9032\u5165\u4f01\u696d\u5167\u7db2\u7684\u9580\u7968\u300d\u3002<\/p>\n\n\n\n<p><strong>\u7d50\u8a9e<\/strong><\/p>\n\n\n\n<p>Storm-2561 \u7684\u653b\u64ca\u884c\u52d5\u6e05\u695a\u63ed\u793a\u4e00\u500b\u8da8\u52e2\uff1a<\/p>\n\n\n\n<p><strong>\u4f01\u696d\u6700\u95dc\u9375\u7684\u9632\u7dda\uff0c\u6b63\u5f9e\u908a\u754c\u8a2d\u5099\u8f49\u5411\u300c\u4f7f\u7528\u8005\u884c\u70ba\u8207\u4fe1\u4efb\u4f86\u6e90\u300d\u3002<\/strong><\/p>\n\n\n\n<p>\u7576\u641c\u5c0b\u5f15\u64ce\u3001\u958b\u6e90\u5e73\u53f0\uff08GitHub\uff09\u8207\u5408\u6cd5\u6191\u8b49\u540c\u6642\u88ab\u6feb\u7528\u6642\uff0c\u50b3\u7d71\u9632\u79a6\u6a21\u578b\u5c07\u96e3\u4ee5\u61c9\u5c0d\u3002<\/p>\n\n\n\n<p>\u5728\u96f6\u4fe1\u4efb\u67b6\u69cb\u4e0b\uff0c\u4f01\u696d\u5fc5\u9808\u91cd\u65b0\u6aa2\u8996\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8edf\u9ad4\u53d6\u5f97\u6d41\u7a0b<\/li>\n\n\n\n<li>\u4f7f\u7528\u8005\u4e0b\u8f09\u884c\u70ba<\/li>\n\n\n\n<li>\u4fe1\u4efb\u93c8\u9a57\u8b49\u6a5f\u5236<\/li>\n<\/ul>\n\n\n\n<p>\u5426\u5247\uff0c\u518d\u5f37\u56fa\u7684\u908a\u754c\u9632\u8b77\uff0c\u4e5f\u53ef\u80fd\u56e0\u4e00\u6b21\u932f\u8aa4\u4e0b\u8f09\u800c\u5168\u9762\u5931\u5b88\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>2026 \u5e74 3 \u6708\uff0cMicrosoft\u8cc7\u5b89\u7814\u7a76\u4eba\u54e1\u63ed\u9732\u4e00\u9805\u91dd\u5c0d\u4f01\u696d\u74b0\u5883\u7684\u7cbe\u5bc6\u653b\u64ca\u884c\u52d5\u3002\u5a01\u8105\u7d44\u7e54 Storm- <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=4210\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-4210","post","type-post","status-publish","format-standard","hentry","category-6"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/4210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4210"}],"version-history":[{"count":1,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/4210\/revisions"}],"predecessor-version":[{"id":4212,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/4210\/revisions\/4212"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}