VERTs Cybersecurity News for the Week of May 16, 2022

All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of May 16, 2022. I’ve also included some comments on these stories. 

Watch Out! Hackers Begin Exploiting Recent Zyxel Firewalls RCE Vulnerability  

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added two security flaws to its Known Exploited Vulnerabilities Catalog, the Hacker News reports. Citing evidence of active exploitation, the reported flaws included the recently disclosed remote code execution bug affecting Zyxel firewalls. 

ANDREW SWOBODA | Senior Security Researcher at Tripwire

Zyxel Firewalls are subject to a code execution vulnerability. Attackers can inject arbitrary commands upon successful exploitation of this vulnerability. The following devices are affected by this vulnerability: USG FLEX 100, 100W, 200, 500, 700 USG20-VPN, USG20W-VPN ATP 100, 200, 500, 700, 800, and VPN series. Upgrade to patch V5.30 or later to fix this vulnerability. 


Hackers target Tatsu WordPress plugin in millions of attacks  

Hackers are massively exploiting a remote code execution vulnerability (CVE-2021-25094) in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites. Although the patch has been available since early April, up to 50,000 websites are estimated to still run a vulnerable version of the plugin, Bleeping Computer notes. 

ANDREW SWOBODA | Senior Security Researcher at Tripwire

The Tatsu Builder plugin for WordPress is subject to a code execution vulnerability. To exploit this vulnerable attackers need to upload a malicious zip file that extracts a PHP file that starts with a ‘.’ to bypass extension controls.  

It is estimated that there are 50 000 vulnerable websites. Attackers are currently exploiting this issue and it is necessary to patch vulnerable systems. Versions of Tatsu Builder prior to 3.3.13 are vulnerability to exploitation.  

Attackers have been seen trying to inject a hidden malware dropper in “wp-content/uploads/typehub/custom/”. Check to make sure a file with the name “.sp3ctra_XO.php” and a MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8 is not located on the system. This is a known malicious file associated with the attack. 


380K Kubernetes API Servers Exposed to Public Internet  

Here’s a shocking fact: 380K Kubernetes API server are currently exposed to the public internet. Threatpost warns that over three-quarters of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allows some form of access. 

ANDREW SWOBODA | Senior Security Researcher at Tripwire

Between 300,000 and 400,000 Kubernetes API servers have been discovered to be exposed on the internet. While testing ShadowServer notices that servers responded to a “200 OK”. This does not mean that each server will have the same attack surface, but might configured to allow more permissions than necessary.  

This article highlights the need to ensure that systems are not configured to be more permissible than necessary.  


Sysrv-K Botnet Targets Windows, Linux 

Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins, reports Threatpost.  

Matthew Jerzewski | Security Researcher at Tripwire 

Sysrv-k is back at it again with some new features. The botnet known as “sysrv-k” has been scanning numerous webapps, databases, WordPress plugins, and now is taking advantage of the new CVE identified in Spring Framework API and Spring Cloud Gateway. CVE-2022-22947 is one of the numerous CVE’s released this year getting a CVSS score of 10 affecting Spring Cloud Gateway. The sysrv-k botnet is leveraging this vulnerability which exposes apps to remote code injection, therefore allowing the botnet to install Monero crypto miners. 


APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack 0-Days 

Research indicates that organizations should make patching existing flaws a priority to mitigate risk of compromise, Threatpost notes. Most advanced persistent threat groups (APTs) use known vulnerabilities in their attacks against organizations, suggesting the need to prioritize faster patching rather than chasing zero-day flaws as a more effective security strategy, new research has found. 

Darlene Hibbs | Security Researcher at Tripwire 

It’s risky to assume that APTs are only targeting 0-day exploits. Research shows that known vulnerabilities are just as likely an attack vector for APTs if not more so, and slow patch cycles can increase the chances of a breach by 9 times. There is only so much that can be done to mitigate the risk of 0-day vulnerabilities as you don’t know what you don’t know, but decreasing the time to patch what you do know about can significantly reduce risk. 


Keep in Touch with Tripwire VERT 

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.  

Previous VERT Cybersecurity News Roundups