Prank Calls, Lazarus APT, WordPress Critical Vulns, CISA Adds 41 Flaws, & Zoom Bugs – PSW #742

"One of the flaws—tracked as CVE-2022-1654 and rated as 9.9, or critical on the CVSS–allows for “any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin,” he wrote. The plugin is required to run the JupiterX theme." - Not sure how we got to 9.9 when it still requires some level of authenticated user...

"The idea of taking 16^5 hash ranges, bundling them all up into a single monolithic archive then making it all downloadable seemed a non-trivial task."

Good tip: "So, how do we work through this problem of "my DNS target is now multiple different hosts, each with their own IP", and add to that, now dozens or hundreds of other hosts (from other organizations) now reside on those same IP addresses? By default, nmap will only assess the first IP returned for the DNS query against your hostname. "

738 if you're counting at home (https://www.cisa.gov/known-exploited-vulnerabilities-catalog), given there are 176k+ CVEs (https://www.cvedetails.com/), I believe this is good guidance. I'd flag these in my VM and make sure they get patched at the highest priority.

Counting CVEs is just silly. Multiple CVEs could be assigned for the same vulnerability, and multiple vulnerabilities can be addressed in a single advisory. Stop counting and comparing, it's just silly.

"Chaining the above vulnerabilities, an attacker can trick a vulnerable client into connecting to a rogue server, potentially leading to arbitrary code execution due to an update package downgrade in Zoom Client for Windows that could allow the installation of a less secure version."

"At its core, the platform works by snuffing and collecting encrypted wireless packets over the air to detect and identify concealed devices. Subsequently, it estimates the location of each identified device with respect to the user as they walk around the perimeter of the space. The localization module, for its part, combines signal strength measurements that are available in 802.11 packets (aka Received Signal Strength Indicator or RSSI) with relative user position determined by visual inertial odometry (VIO) information on mobile phones." - Snuffing? Okay, we typically say sniffing. Which, by the looks of it, you could do the same thing with Kismet...

Well, let's get hacking people! - "With this policy update, the DOJ is separating cases of good-faith security research from ill-intended hacking, which were previously distinguished by a blurred line that frequently placed ethical security research in a problematic, gray legal area. Under these new policies, software testing, investigation, security flaw analysis, and network breaches intended to promote the security and safety of the target devices or services are not to be prosecuted by federal prosecutors."

"White [Kubernetes] provides massive benefits to enterprises for agile app delivery, there are a few characteristics that make it an ideal attack target for exploitation,” he said. “For instance, as a result of having many containers, Kubernetes has a large attack surface that could be exploited if not pre-emptively secured." - Complexity breeds vulnerability.

Interesting: "To address these challenges, we developed PSP (a recursive acronym for PSP Security Protocol,) a TLS-like protocol that is transport-independent, enables per-connection security, and is offload-friendly. At Google, we employ all of these protocols depending on the use case. For example, we use TLS for our user-facing connections, we use IPsec for site-to-site encryption where we need interoperability with 3rd party appliances, and we use PSP for intra- and inter- data center traffic." - Don't invent your own protocol, especially for encryption, I mean unless you're Google.

Wow: "However, instead of paying the ransom, the bank representatives responded to the ransom negotiation by making fun of the hacker's '14m3-sk1llz.' They then proceeded to post a link to a dick pic while stating, "suck this dick and stop locking bank networks thinking that you will monetize something, learn to monetize."" - That's some balls right there...

I hate binary exploits for just this reason: "However, it soon became apparent that these proof-of-concept exploits were fake and installed Cobalt Strike beacons on people's devices. Cobalt Strike is a legitimate pentesting tool that threat actors commonly use to breach and spread laterally through an organization. In a subsequent report by cybersecurity firm Cyble, threat analysts analyzed the PoC and found that it was a .NET application pretending to exploit an IP address that actually infected users with the backdoor."

"'ctx' is a minimal Python module that lets developers manipulate their dictionary ('dict') objects in a variety of ways. The package, although popular, had not been touched since 2014 by its developer, as seen by BleepingComputer. However, newer versions emerged starting May 15th into this week and contained malicious code:"

Not sure if we covered this last month, if we did, we apologize for not vetting the source. We believe this to be a hoax now...

A group of international hacktivists calling itself the "Obfuscated Dreams of Scheherazade" has reportedly launched the WasteRussiaTime.today website, which was created to protest the war in Ukraine by placing automated robocalls and prank calls to officials working in various Russian government entities, the military, and intelligence agencies.

North Korea-linked Lazarus APT group has been leveraging the Log4J remote code execution (RCE) vulnerability (CVE-2021-44228) since at least January 2021 in attacks designed to infect internet-exposed VMware Horizon servers with a PowerShell command that ultimately installs the "NukeSped" backdoor.

Clearview AI has been fined £7.55 million ($9.5 million) by the UK's privacy watchdog for illegally scraping the facial images of UK citizens from the internet and social media platforms.

An unknown threat actor has been identified sending infosec security researchers bogus Windows proof-of-concept (PoC) exploits that are designed to infect targeted devices with the legitimate "Cobalt Strike" penetration testing tool.

Cisco notified customers that it had identified "in-the-wild" attempts to exploit the new, medium-severity open-port vulnerability (CVE-2022-20821) impacting its RPM and IOS XR software, which can be exploited by unauthenticated attackers to gain access to a Redis instance running within the "NOSi" container.

A threat actor has reportedly compromised the "ctx" PyPI module as part of a supply chain attack and distributed malicious versions of the module that are designed to steal developers' environment variables.