End-of-Day report
Timeframe: Montag 27-02-2023 18:00 - Dienstag 28-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Critical flaws in WordPress Houzez theme exploited to hijack websites
Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites.
https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-houzez-theme-exploited-to-hijack-websites/
New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware
Threat actors are promoting a new Exfiltrator-22 post-exploitation framework designed to spread ransomware in corporate networks while evading detection.
https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-exploitation-kit-linked-to-lockbit-ransomware/
Passwortmanager: Lastpass teilt weitere Details zum Dezember-Hack mit
Über einen Keylogger auf einem Privatrechner konnten Angreifer Adminzugriff auf diverse Lastpass-Kundendaten und dessen Quellcode erhalten.
https://www.golem.de/news/passwortmanager-lastpass-teilt-weitere-details-zum-dezember-hack-mit-2302-172255.html
Side-Channel Attack against CRYSTALS-Kyber
CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack-using power consumption-against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not -broken- or -cracked--despite headlines to the contrary-this is just a side-channel attack.
https://www.schneier.com/blog/archives/2023/02/side-channel-attack-against-crystals-kyber.html
CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests.
https://thehackernews.com/2023/02/cisa-issues-warning-on-active.html
A Complete Kubernetes Config Review Methodology
The are many resources out there that tap into the subject of Kubernetes Pentesting or Configuration Review, however, they usually detail specific topics and misconfigurations and don-t offer a broad perspective on how to do a complete Security Review. That is why in this article I want to cover a more complete overview on all the possible aspects that should be reviewed when dealing with a Kubernetes Security Assessment.
https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-methodology/
Vulnerabilities Being Exploited Faster Than Ever: Analysis
The time from vulnerability disclosure to exploitation is decreasing, according to a new intelligence report from Rapid7.
https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ever-analysis/
Konzertkarten auf Facebook kaufen: Vorsicht vor Betrug
Facebook ist eine beliebte Anlaufstelle, um Karten für ausverkaufte Konzerte zu ergattern. Bedenken Sie aber, dass hinter vielen Angeboten Fake-Profile stecken. Überprüfen Sie das Profil der Verkäufer:innen sehr genau und bezahlen Sie niemals mit der PayPal-Funktion -Geld an Freunde & Familie senden-. Wir zeigen Ihnen, wie Sie betrügerische Angebote auf Facebook erkennen.
https://www.watchlist-internet.at/news/konzertkarten-auf-facebook-kaufen-vorsicht-vor-betrug/
Gefälschtes E-Mail von FinanzOnline über Sicherheitsaktualisierung im Umlauf
Nehmen Sie E-Mails vom Finanzamt bzw. von FinanzOnline sehr genau unter die Lupe. Im Moment sind unzählige betrügerische Schreiben im Umlauf.
https://www.watchlist-internet.at/news/gefaelschtes-e-mail-von-finanzonline-ueber-sicherheitsaktualisierung-im-umlauf/
Sicherheitsanbieter Cyren geht in Liquidation - NoSpamProxy betroffen
Kurze Information für Nutzer, die Sicherheitsfunktionen des Anbieters Cyren einsetzen (z. B. NoSpamProxy). Der Anbieter Cyren steckt in wirtschaftlichen Schwierigkeiten und wird wohl liquidiert - die betreffenden Dienste werden eingestellt.
https://www.borncity.com/blog/2023/02/28/sicherheitsanbieter-cyren-geht-in-liquidation-nospamproxy-betroffen/
Bitdefender Releases Free MortalKombat Ransomware Decryptor
The free Mortal Kombat ransomware decryptor is now available for victims to recover their encrypted files without having to pay the ransom.
https://www.hackread.com/bitdefender-mortalkombat-ransomware-decryptor/
Vulnerabilities
VMSA-2023-0006
CVSSv3 Range: 6.3
CVE(s): CVE-2023-20857
Synopsis: VMware Workspace ONE Content update addresses a passcode bypass vulnerability (CVE-2023-20857)
https://www.vmware.com/security/advisories/VMSA-2023-0006.html
Security updates for Tuesday
Security updates have been issued by Debian (curl, python-werkzeug, and spip), Fedora (curl), Mageia (apache-commons-fileupload, apr, c-ares, clamav, git, gnutls, ipython, jupyter-core, php, postgresql, python-cryptography, python-jupyterlab, python-twisted, sofia-sip, and sox), Red Hat (git, httpd, kernel, kernel-rt, kpatch-patch, lua, openssl, pcs, php, python-setuptools, python3.9, systemd, tar, vim, and zlib), SUSE (libxslt, php8, postgresql15, python3, tpm2-0-tss, and ucode-intel), and
https://lwn.net/Articles/924690/
IBM Security Bulletins 2023-02-23
IBM VM Recovery Manager, IBM MQ Appliance, Red Hat OpenShift on IBM Cloud, IBM Business Automation Workflow, WebSphere Application Server, IBM SAN b-type switch, IBM FlashSystem, TMS RAMSAN, IBM HTTP Server, IBM CloudPak, Operations Dashboard, IBM QRadar SIEM Application Framework Base Image.
https://www.ibm.com/support/pages/bulletin/
CVE-2022-38108: RCE in SolarWinds Network Performance Monitor
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hong and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the SolarWinds Network Performance Monitor. This bug was originally discovered and reported by ZDI Vulnerability Research Piotr Bazyd-o. The vulnerability results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data.
https://www.thezdi.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor
ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root
https://cxsecurity.com/issue/WLB-2023020047
ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution
https://cxsecurity.com/issue/WLB-2023020046
web2py development tool vulnerable to open redirect
https://jvn.jp/en/jp/JVN78253670/
Osprey Pump Controller 1.0.1 Exploit Code released
https://www.zeroscience.mk/en/vulnerabilities/
OS Command Injection in Barracuda CloudGen WAN
https://sec-consult.com/de/vulnerability-lab/advisory/os-command-injection-in-barracuda-cloudgen-wan/