Malware, Cybercrime

Prank Calls, Lazarus APT, WordPress Critical Vulns, CISA Adds 41 Flaws, & Zoom Bugs – PSW #742

This week in the Security News: Chaining Zoom bugs is possible to hack users in a chat by sending them a message, Microsoft vulnerabilities down for 2021, CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog, Using NMAP to Assess Hosts in Load Balanced Clusters, Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover, & more!

Full episode and show notes

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

Hosts

Paul Asadoorian
Paul Asadoorian
Founder at Security Weekly
  1. 1. Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover - "One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme." - Not sure how we got to 9.9 when it still requires some level of authenticated user...
  2. 2. Downloading Pwned Passwords Hashes with the HIBP Downloader - "The idea of taking 16^5 hash ranges, bundling them all up into a single monolithic archive then making it all downloadable seemed a non-trivial task."
  3. 3. Using NMAP to Assess Hosts in Load Balanced Clusters - Good tip: "So, how do we work through this problem of "my DNS target is now multiple different hosts, each with their own IP", and add to that, now dozens or hundreds of other hosts (from other organizations) now reside on those same IP addresses? By default, nmap will only assess the first IP returned for the DNS query against your hostname. "
  4. 4. CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog - 738 if you're counting at home (https://www.cisa.gov/known-exploited-vulnerabilities-catalog), given there are 176k+ CVEs (https://www.cvedetails.com/), I believe this is good guidance. I'd flag these in my VM and make sure they get patched at the highest priority.
  5. 5. Microsoft vulnerabilities down for 2021 - Counting CVEs is just silly. Multiple CVEs could be assigned for the same vulnerability, and multiple vulnerabilities can be addressed in a single advisory. Stop counting and comparing, it's just silly.
  6. 6. Chaining Zoom bugs is possible to hack users in a chat by sending them a message - "Chaining the above vulnerabilities, an attacker can trick a vulnerable client into connecting to a rogue server, potentially leading to arbitrary code execution due to an update package downgrade in Zoom Client for Windows that could allow the installation of a less secure version."
  7. 7. Lumos System Can Find Hidden Cameras and IoT Devices in Your Airbnb or Hotel Room - "At its core, the platform works by snuffing and collecting encrypted wireless packets over the air to detect and identify concealed devices. Subsequently, it estimates the location of each identified device with respect to the user as they walk around the perimeter of the space. The localization module, for its part, combines signal strength measurements that are available in 802.11 packets (aka Received Signal Strength Indicator or RSSI) with relative user position determined by visual inertial odometry (VIO) information on mobile phones." - Snuffing? Okay, we typically say sniffing. Which, by the looks of it, you could do the same thing with Kismet...
  8. 8. r/InfoSecNews – U.S. DOJ will no longer prosecute ethical hackers under CFAA - Well, let's get hacking people! - "With this policy update, the DOJ is separating cases of good-faith security research from ill-intended hacking, which were previously distinguished by a blurred line that frequently placed ethical security research in a problematic, gray legal area. Under these new policies, software testing, investigation, security flaw analysis, and network breaches intended to promote the security and safety of the target devices or services are not to be prosecuted by federal prosecutors."
  9. 9. 380K Kubernetes API Servers Exposed to Public Internet - "White [Kubernetes] provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he said. “For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured." - Complexity breeds vulnerability.
  10. 10. Announcing PSP Security Protocol is now open source - Interesting: "To address these challenges, we developed PSP (a recursive acronym for PSP Security Protocol,) a TLS-like protocol that is transport-independent, enables per-connection security, and is offload-friendly. At Google, we employ all of these protocols depending on the use case. For example, we use TLS for our user-facing connections, we use IPsec for site-to-site encryption where we need interoperability with 3rd party appliances, and we use PSP for intra- and inter- data center traffic." - Don't invent your own protocol, especially for encryption, I mean unless you're Google.
  11. 11. National bank hit by ransomware trolls hackers with dick pics - Wow: "However, instead of paying the ransom, the bank representatives responded to the ransom negotiation by making fun of the hacker's '14m3-sk1llz.' They then proceeded to post a link to a dick pic while stating, "suck this dick and stop locking bank networks thinking that you will monetize something, learn to monetize."" - That's some balls right there...
  12. 12. Fake Windows exploits target infosec community with Cobalt Strike - I hate binary exploits for just this reason: "However, it soon became apparent that these proof-of-concept exploits were fake and installed Cobalt Strike beacons on people's devices. Cobalt Strike is a legitimate pentesting tool that threat actors commonly use to breach and spread laterally through an organization. In a subsequent report by cybersecurity firm Cyble, threat analysts analyzed the PoC and found that it was a .NET application pretending to exploit an IP address that actually infected users with the backdoor."
  13. 13. Popular Python and PHP libraries hijacked to steal AWS keys - "'ctx' is a minimal Python module that lets developers manipulate their dictionary ('dict') objects in a variety of ways. The package, although popular, had not been touched since 2014 by its developer, as seen by BleepingComputer. However, newer versions emerged starting May 15th into this week and contained malicious code:"
  14. 14. Outlets tricked by 7-zip CVE-2022-29072 hoax - Not sure if we covered this last month, if we did, we apologize for not vetting the source. We believe this to be a hoax now...
Adrian Sanabria
Adrian Sanabria
Director of Product Management at Tenchi Security
Lee Neely
Lee Neely
Information Assurance APL at Lawrence Livermore National Laboratory
  1. 1. WIRED: This Hacktivist Site Lets You Prank Call Russian Officials · Techukraine - A group of international hacktivists calling itself the "Obfuscated Dreams of Scheherazade" has reportedly launched the WasteRussiaTime.today website, which was created to protest the war in Ukraine by placing automated robocalls and prank calls to officials working in various Russian government entities, the military, and intelligence agencies.
  2. 2. North Korea-linked Lazarus APT uses Log4J to target VMware servers - North Korea-linked Lazarus APT group has been leveraging the Log4J remote code execution (RCE) vulnerability (CVE-2021-44228) since at least January 2021 in attacks designed to infect internet-exposed VMware Horizon servers with a PowerShell command that ultimately installs the "NukeSped" backdoor.
  3. 3. Clearview AI fined £7.5 million and told to delete all UK facial recognition data - Clearview AI has been fined £7.55 million ($9.5 million) by the UK's privacy watchdog for illegally scraping the facial images of UK citizens from the internet and social media platforms.
  4. 4. Fake Windows exploits target infosec community with Cobalt Strike - An unknown threat actor has been identified sending infosec security researchers bogus Windows proof-of-concept (PoC) exploits that are designed to infect targeted devices with the legitimate "Cobalt Strike" penetration testing tool.
  5. 5. Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability - Cisco notified customers that it had identified "in-the-wild" attempts to exploit the new, medium-severity open-port vulnerability (CVE-2022-20821) impacting its RPM and IOS XR software, which can be exploited by unauthenticated attackers to gain access to a Redis instance running within the "NOSi" container.
  6. 6. Popular Python and PHP libraries hijacked to steal AWS keys - A threat actor has reportedly compromised the "ctx" PyPI module as part of a supply chain attack and distributed malicious versions of the module that are designed to steal developers' environment variables.
prestitial ad