- 1. Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover
"One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme." - Not sure how we got to 9.9 when it still requires some level of authenticated user...
- 2. Downloading Pwned Passwords Hashes with the HIBP Downloader
"The idea of taking 16^5 hash ranges, bundling them all up into a single monolithic archive then making it all downloadable seemed a non-trivial task."
- 3. Using NMAP to Assess Hosts in Load Balanced Clusters
Good tip: "So, how do we work through this problem of "my DNS target is now multiple different hosts, each with their own IP", and add to that, now dozens or hundreds of other hosts (from other organizations) now reside on those same IP addresses?
By default, nmap will only assess the first IP returned for the DNS query against your hostname. "
- 4. CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog
738 if you're counting at home (https://www.cisa.gov/known-exploited-vulnerabilities-catalog), given there are 176k+ CVEs (https://www.cvedetails.com/), I believe this is good guidance. I'd flag these in my VM and make sure they get patched at the highest priority.
- 5. Microsoft vulnerabilities down for 2021
Counting CVEs is just silly. Multiple CVEs could be assigned for the same vulnerability, and multiple vulnerabilities can be addressed in a single advisory. Stop counting and comparing, it's just silly.
- 6. Chaining Zoom bugs is possible to hack users in a chat by sending them a message
"Chaining the above vulnerabilities, an attacker can trick a vulnerable client into connecting to a rogue server, potentially leading to arbitrary code execution due to an update package downgrade in Zoom Client for Windows that could allow the installation of a less secure version."
- 7. Lumos System Can Find Hidden Cameras and IoT Devices in Your Airbnb or Hotel Room
"At its core, the platform works by snuffing and collecting encrypted wireless packets over the air to detect and identify concealed devices. Subsequently, it estimates the location of each identified device with respect to the user as they walk around the perimeter of the space. The localization module, for its part, combines signal strength measurements that are available in 802.11 packets (aka Received Signal Strength Indicator or RSSI) with relative user position determined by visual inertial odometry (VIO) information on mobile phones." - Snuffing? Okay, we typically say sniffing. Which, by the looks of it, you could do the same thing with Kismet...
- 8. r/InfoSecNews – U.S. DOJ will no longer prosecute ethical hackers under CFAA
Well, let's get hacking people! - "With this policy update, the DOJ is separating cases of good-faith security research from ill-intended hacking, which were previously distinguished by a blurred line that frequently placed ethical security research in a problematic, gray legal area. Under these new policies, software testing, investigation, security flaw analysis, and network breaches intended to promote the security and safety of the target devices or services are not to be prosecuted by federal prosecutors."
- 9. 380K Kubernetes API Servers Exposed to Public Internet
"White [Kubernetes] provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he said. “For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured." - Complexity breeds vulnerability.
- 10. Announcing PSP Security Protocol is now open source
Interesting: "To address these challenges, we developed PSP (a recursive acronym for PSP Security Protocol,) a TLS-like protocol that is transport-independent, enables per-connection security, and is offload-friendly. At Google, we employ all of these protocols depending on the use case. For example, we use TLS for our user-facing connections, we use IPsec for site-to-site encryption where we need interoperability with 3rd party appliances, and we use PSP for intra- and inter- data center traffic." - Don't invent your own protocol, especially for encryption, I mean unless you're Google.
- 11. National bank hit by ransomware trolls hackers with dick pics
Wow: "However, instead of paying the ransom, the bank representatives responded to the ransom negotiation by making fun of the hacker's '14m3-sk1llz.' They then proceeded to post a link to a dick pic while stating, "suck this dick and stop locking bank networks thinking that you will monetize something, learn to monetize."" - That's some balls right there...
- 12. Fake Windows exploits target infosec community with Cobalt Strike
I hate binary exploits for just this reason: "However, it soon became apparent that these proof-of-concept exploits were fake and installed Cobalt Strike beacons on people's devices. Cobalt Strike is a legitimate pentesting tool that threat actors commonly use to breach and spread laterally through an organization. In a subsequent report by cybersecurity firm Cyble, threat analysts analyzed the PoC and found that it was a .NET application pretending to exploit an IP address that actually infected users with the backdoor."
- 13. Popular Python and PHP libraries hijacked to steal AWS keys
"'ctx' is a minimal Python module that lets developers manipulate their dictionary ('dict') objects in a variety of ways. The package, although popular, had not been touched since 2014 by its developer, as seen by BleepingComputer. However, newer versions emerged starting May 15th into this week and contained malicious code:"
- 14. Outlets tricked by 7-zip CVE-2022-29072 hoax
Not sure if we covered this last month, if we did, we apologize for not vetting the source. We believe this to be a hoax now...