Tageszusammenfassung - 28.02.2023

End-of-Day report

Timeframe: Montag 27-02-2023 18:00 - Dienstag 28-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Critical flaws in WordPress Houzez theme exploited to hijack websites

Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites.

https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-houzez-theme-exploited-to-hijack-websites/

New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware

Threat actors are promoting a new Exfiltrator-22 post-exploitation framework designed to spread ransomware in corporate networks while evading detection.

https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-exploitation-kit-linked-to-lockbit-ransomware/

Passwortmanager: Lastpass teilt weitere Details zum Dezember-Hack mit

Über einen Keylogger auf einem Privatrechner konnten Angreifer Adminzugriff auf diverse Lastpass-Kundendaten und dessen Quellcode erhalten.

https://www.golem.de/news/passwortmanager-lastpass-teilt-weitere-details-zum-dezember-hack-mit-2302-172255.html

Side-Channel Attack against CRYSTALS-Kyber

CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack-using power consumption-against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not -broken- or -cracked--despite headlines to the contrary-this is just a side-channel attack.

https://www.schneier.com/blog/archives/2023/02/side-channel-attack-against-crystals-kyber.html

CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests.

https://thehackernews.com/2023/02/cisa-issues-warning-on-active.html

A Complete Kubernetes Config Review Methodology

The are many resources out there that tap into the subject of Kubernetes Pentesting or Configuration Review, however, they usually detail specific topics and misconfigurations and don-t offer a broad perspective on how to do a complete Security Review. That is why in this article I want to cover a more complete overview on all the possible aspects that should be reviewed when dealing with a Kubernetes Security Assessment.

https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-methodology/

Vulnerabilities Being Exploited Faster Than Ever: Analysis

The time from vulnerability disclosure to exploitation is decreasing, according to a new intelligence report from Rapid7.

https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ever-analysis/

Konzertkarten auf Facebook kaufen: Vorsicht vor Betrug

Facebook ist eine beliebte Anlaufstelle, um Karten für ausverkaufte Konzerte zu ergattern. Bedenken Sie aber, dass hinter vielen Angeboten Fake-Profile stecken. Überprüfen Sie das Profil der Verkäufer:innen sehr genau und bezahlen Sie niemals mit der PayPal-Funktion -Geld an Freunde & Familie senden-. Wir zeigen Ihnen, wie Sie betrügerische Angebote auf Facebook erkennen.

https://www.watchlist-internet.at/news/konzertkarten-auf-facebook-kaufen-vorsicht-vor-betrug/

Gefälschtes E-Mail von FinanzOnline über Sicherheitsaktualisierung im Umlauf

Nehmen Sie E-Mails vom Finanzamt bzw. von FinanzOnline sehr genau unter die Lupe. Im Moment sind unzählige betrügerische Schreiben im Umlauf.

https://www.watchlist-internet.at/news/gefaelschtes-e-mail-von-finanzonline-ueber-sicherheitsaktualisierung-im-umlauf/

Sicherheitsanbieter Cyren geht in Liquidation - NoSpamProxy betroffen

Kurze Information für Nutzer, die Sicherheitsfunktionen des Anbieters Cyren einsetzen (z. B. NoSpamProxy). Der Anbieter Cyren steckt in wirtschaftlichen Schwierigkeiten und wird wohl liquidiert - die betreffenden Dienste werden eingestellt.

https://www.borncity.com/blog/2023/02/28/sicherheitsanbieter-cyren-geht-in-liquidation-nospamproxy-betroffen/

Bitdefender Releases Free MortalKombat Ransomware Decryptor

The free Mortal Kombat ransomware decryptor is now available for victims to recover their encrypted files without having to pay the ransom.

https://www.hackread.com/bitdefender-mortalkombat-ransomware-decryptor/

Vulnerabilities

VMSA-2023-0006

CVSSv3 Range: 6.3 CVE(s): CVE-2023-20857 Synopsis: VMware Workspace ONE Content update addresses a passcode bypass vulnerability (CVE-2023-20857)

https://www.vmware.com/security/advisories/VMSA-2023-0006.html

Security updates for Tuesday

Security updates have been issued by Debian (curl, python-werkzeug, and spip), Fedora (curl), Mageia (apache-commons-fileupload, apr, c-ares, clamav, git, gnutls, ipython, jupyter-core, php, postgresql, python-cryptography, python-jupyterlab, python-twisted, sofia-sip, and sox), Red Hat (git, httpd, kernel, kernel-rt, kpatch-patch, lua, openssl, pcs, php, python-setuptools, python3.9, systemd, tar, vim, and zlib), SUSE (libxslt, php8, postgresql15, python3, tpm2-0-tss, and ucode-intel), and

https://lwn.net/Articles/924690/

IBM Security Bulletins 2023-02-23

IBM VM Recovery Manager, IBM MQ Appliance, Red Hat OpenShift on IBM Cloud, IBM Business Automation Workflow, WebSphere Application Server, IBM SAN b-type switch, IBM FlashSystem, TMS RAMSAN, IBM HTTP Server, IBM CloudPak, Operations Dashboard, IBM QRadar SIEM Application Framework Base Image.

https://www.ibm.com/support/pages/bulletin/

CVE-2022-38108: RCE in SolarWinds Network Performance Monitor

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hong and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the SolarWinds Network Performance Monitor. This bug was originally discovered and reported by ZDI Vulnerability Research Piotr Bazyd-o. The vulnerability results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data.

https://www.thezdi.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor