Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

February 28, 2023

Tuesday

WordPress Houzez theme's serious weaknesses were exploited to take over websites.

The Houzez theme and plugin for WordPress, two premium add-ons used mostly in real estate websites, contain two critical-severity vulnerabilities that hackers are actively exploiting.


A paid plugin called Houzez costs $69 and offers simple listing administration and a pleasant user experience.

According to the vendor’s website, it serves approximately 35,000 real estate business clients.


The two flaws were disclosed to the theme’s distributor, “ThemeForest,” by Patchstack’s threat researcher Dave Jong. One problem was addressed in version 2.6.4 (August 2022) and the other in version 2.7.2. (November 2022).


According to the CVSS v3.1 standard, the initial Houzez bug is tracked as CVE-2023-26540 and has a severity rating of 9.8 out of 10.0, classifying it as a critical vulnerability.


It is a security flaw that affects Houzez Theme plugin versions 2.7.1 and earlier and can be remotely abused to escalate privileges without requiring authentication.


The second vulnerability, designated CVE-2023-26009, affects the Houzes Login Registration plugin and is rated critical (CVSS v3.1: 9.8).


It affects versions 2.6.3 and earlier and gives unauthenticated attackers access to sites employing the plugin in order to escalate their privileges.

NEWS 1
WordPress Houzez theme's serious weaknesses were exploited to take over websites.

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

Internet Explorer is still allowing RIG Exploit Kit to infect enterprise users.

Currently, the RIG Exploit Kit is in the midst of its most active phase, attempting roughly 2,000 incursions daily and succeeding in about 30% of them, the best success rate in the lengthy operational history of the service.

RIG EK has been observed disseminating several malware families, including Dridex, SmokeLoader, and RaccoonStealer, by making use of relatively outdated Internet Explorer flaws.

The exploit kit continues to pose a serious, widespread threat to people and organizations, according to a thorough study by Prodaft, whose researchers have access to the service’s backend web panel.

When RIG EK was initially launched in 2014, it was marketed as an “exploit-as-a-service” that other malware operators could rent to distribute their malware on unpatched systems.

Threat actors use the RIG exploit kit, a collection of dangerous JavaScript scripts, to infiltrate malicious or compromised websites and subsequently advertise there.

When a user visits these sites, malicious scripts are launched and try to automatically install malware on the user’s device by exploiting a variety of browser security holes.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

February 28, 2023 /

Tuesday

Hackerzhome News

2

Have you heard?
Uncovering A Massive AdSense Fraud Campaign That Infected 10,000+ WordPress Sites Know more!

DevOps engineer at LastPass was breached in 2022 in order to acquire password vault data.

DevOps engineer at LastPass was breached in 2022 in order to acquire password vault data.

Further information about an “organized second attack” by a threat actor who gained access to and stole data from the Amazon AWS cloud storage servers for more than two months was made public by LastPass.

Threat actors obtained user data and partially encrypted password vault data, according to a hack that LastPass announced in December.

The organization has now revealed how the threat actors carried out this attack, claiming that they did so by using a senior DevOps engineer’s computer to install a keylogger using information stolen in an August data breach, information from another data breach, and a remote code execution vulnerability.

According to LastPass, the stolen information from the initial breach was used in this second coordinated attempt to access the company’s encrypted Amazon S3 buckets.

The threat actor chose one of the four LastPass DevOps engineers because they were the only ones with access to the decryption keys.

In the end, the hackers were able to successfully install a keylogger on the employee’s device by taking advantage of a remote code execution flaw in a piece of media software from a third party.

NEWS 3

U.S. Marshals Service is looking into a data theft and ransomware attack.

U.S. Marshals Service is looking into a data theft and ransomware attack.
NEWS 4

The theft of private law enforcement data is being looked into by the U.S. Marshals Service (USMS) as a result of a ransomware attack that hit “a stand-alone USMS system,” according to the USMS.

The Justice Department’s USMS bureau supports all facets of the federal justice system by carrying out court orders, recovering illegally acquired property, ensuring the protection of government witnesses and their families, and performing other tasks.

The federal law enforcement agency confirmed to NBC, which broke the story, that the stolen material contained personally identifiable information about the employees.

The compromised machine has been cut off from the USMS network, and a “major incident” investigation is ongoing into the attack.

Those familiar with the situation claim that the attackers were unable to access the database for the USMS’s witness protection program, also known as WITSEC.

The U.S. Marshals Service revealed the personal information of nearly 387,000 former and present offenders in a December 2019 event, including their names, dates of birth, residential addresses, and social security numbers. This was followed by another data breach that was made public in May 2020.

Alleged Activision employee data is leaked by a hacker to a cybercrime community.

A threat actor highlighted the data’s worth for phishing operations by posting it on a hacker forum as allegedly obtained from American game firm Activision in December 2022.

The hackers claim to have taken the data from the Activision Azure database in a forum post on the Breached hacking forum, a website used by threat actors to sell and distribute stolen data.

The exposed information consists of 19,444 distinct records, each of which includes the full names, contact information, occupations, residences, and email addresses of purported Activision employees. Any forum users can access the dump for free as a text file.

Activision added that it had concluded that the intruders had not taken any sensitive employee data after completing a comprehensive internal investigation.

This was in contrast to media reports that, after reviewing the stolen material, Insider Gaming reported that it contained delicate employee information that matched what was disclosed today.

Activision employees are more likely to be the subject of phishing and social engineering assaults because the employee database is now freely accessible to a wider audience, including a particularly popular forum utilized by threat actors.

Alleged Activision employee data is leaked by a hacker to a cybercrime community.
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news: