InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Security researchers have discovered a PoC code and exploit available online that can be used to trigger unpatched security flaws in Apache Struts 2.
Security researchers have discovered a PoC code and exploit available on GitHub that that can be used to trigger the security vulnerabilities in Apache Struts 2.
The Proof-of-concept exploit code was released last week, it allows to trigger the CVE-2019-0230 and CVE-2019-0233 vulnerabilities in Apache Struts 2 that are classified as remote code-execution and denial-of-service issues respectively. Both vulnerabilities were addressed by the Apache team in November 2019.
According to an advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) the two flaws impact Apache Struts versions 2.0.0 through 2.5.20. The Apache Struts Security Team urges administrators to upgrade their installs to Struts 2.5.22.
Apache Struts 2 is an open-source, extensible framework for creating enterprise-ready Java web applications.
Unpatched installs could allow attackers to carry out malicious activities. In 2017, the credit reporting agency Equifax suffered a massive data breach, attackers exploited the CVE-2017-5638 Apache Struts vulnerability.
The CVE-2019-0230, for which a PoC exploit code is available only, could be triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expression that can result in a remote code-execution in the context of the affected application.
Depending on the privileges associated with the affected application, an attacker could perform multiple malicious activities, such as install applications; modify or delete data, or create new admin accounts.
The DoS flaw, tracked as CVE-2019-0233, affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.
According to the Apache Struts Wiki description of the bug, this flaw can be triggered with a file upload to a Strut’s Action that exposes the file.
“When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error.” reads the advisory. “It might also be possible to set the Servlet container’s temp directory to read only, such that subsequent upload actions will fail,”
The Apache security bulletin recommends to upgrade outdated installs and verify no unauthorized system modifications have occurred on the system.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released an alert about phishing attacks targeting various government organizations to steal logins for the Small Business Administration COVID-19 loan relief accounts.
In a newer phishing attack that started in August, security researchers saw the threat actor using convincing tricks to fool potential victims into providing personal and financial information
Some Countermeasures:
Checking the source of the message for the sender address will reveal the real one. Simply comparing it with the legitimate email will show the fraud attempt.
Paying attention to the URL in the address bar should also ensure that you don’t fall for a trick and are on the genuine page.
CISA recommends organizations include warning banners for messages from an external source. Even if the message bypasses email defenses, users may act with more caution.
Eager to avoid a repeat of its disastrous role as a super-spreader of misinformation during the 2016 election cycle, Facebook is getting its ducks in a row. Following an announcement earlier this summer, the company is now launching a voting information hub that will centralize election resources for U.S. users and ideally inoculate at least […]
The voting information center will appear in the menu on both Facebook and Instagram. As part of the same effort, Facebook will also target U.S. users with notifications based on location and age, displaying relevant information about voting in their state. The info center will help users check their state-specific vote-by-mail options, request mail-in ballots and provide voting-related deadlines.
Along with other facets of its pre-election push, Facebook will roll previously-announced “voting alerts,” a feature that will allow state election officials to communicate election-related updates to users through the platform. “This will be increasingly critical as we get closer to the election, with potential late-breaking changes to the voting process that could impact voters,”
Full details of security vuln plus proof-of-concept exploits revealed
This critical-severity bug – scoring 9.9 out of 10 on the CVSS v3 meter – can be exploited by a rogue authenticated user, or someone whose access has been hijacked, to inject arbitrary code into an application server. This means they can run malicious commands they shouldn’t be able to on the server, download sensitive information, or crash the installation.
“In consequence, an attacker can break out of the desired syntactic instructions. Injecting ABAP code in the VALUE field allows the attacker to manipulate the source code of the generated subroutine pool and thereby the execution logic of the entire module. Since the attacker can freely choose the characters that can be used in this field, arbitrary ABAP code can be injected.
“To exploit this behavior an attacker can supply special characters like ‘ and . to escape the string quotation that is built into the source code. Afterwards, an attacker can simply specify any semantically valid ABAP code that gets executed by the application server.”
TikTok skirted a privacy safeguard in Google’s Android operating system to collect unique identifiers from millions of mobile devices, data that allows the app to track users online without allowing them to opt out, a Wall Street Journal analysis has found.
The tactic, which experts in mobile-phone security said was concealed through an unusual added layer of encryption, appears to have violated Google policies limiting how apps track people and wasn’t disclosed to TikTok users. TikTok ended the practice in November, the Journal’s testing showed.
The identifiers collected by TikTok, called MAC addresses, are most commonly used for advertising purposes. The White House has said it is worried that users’ data could be obtained by the Chinese government and used to build detailed dossiers on individuals for blackmail or espionage.
A large scale hacking campaign is targeting governments and university websites to host articles on hacking social network accounts that lead to malware and scams.
Some of the sites targeted in this campaign belong to government sites for San Diego, Colorado, Minnesota, as well as sites for UNESCO, the National Institutes of Health (nih.gov), National Cancer Institute (cancer.gov), Rutgers, University of Washington, Arizona State University, Rochester Institute of Technology, University of Iowa, Maryland University, and University of Michigan,
From the samples observed by BleepingComputer, the threat actors exploit vulnerabilities in CMS platforms to insert their own hosted articles. One of the common methods we saw was to exploit Drupal’s Webform component to upload PDFs with links to the fake hacking tools.
Why are small and medium-sized businesses a target for ransomware-wielding gangs and what can they do to protect themselves against cyber-extortion?
According to a recent report by the Ponemon Institute, the biggest challenge faced by SMBs is a shortage of personnel to deal with cyber-risks, attacks, and vulnerabilities, while the second greatest problem revolves around limited budgets. The third biggest challenge is that the firms may lack an understanding of how to protect against cyberattacks.
According to Datto’s report, ransomware is at the top of the list of the malware threats that SMBs face, with one in five reporting that they had fallen victim to a ransomware attack. The average ransom requested by threat actors is about US$5,900. However, that is not the final price tag; the cost of downtime is 23 times greater than the ransom requested in 2019, coming in at US$141,000 and representing an increase of over 200% from 2018 to 2019.
“Funding cybercriminals also funds larger cyberattacks, so it must be reiterated that paying won’t always get make the issue go away,” says ESET cybersecurity specialist Jake Moore.
The key, then, is prevention, and it includes these basic measures:
All employees should undergo regular training so as to be up-to-date on cybersecurity best practices. This can go a long way in lowering the chances of them clicking on potentially hazardous links in their emails that could be laced with ransomware or plugging in unknown USB devices that could be loaded with malware.
You should always keep your operating systems and other software updated to the newest version available and, whenever a patch is released, apply it.
Always plan for the worst and hope for the best, so have a business continuity plan at the ready in case disaster strikes. It should include a data backup and maybe even a backup infrastructure you can use while you try to restore your locked systems.
Backups are essential for everyone, be it individuals or huge enterprises. Back up your business-critical data regularly and test those backups frequently to see if they are functioning correctly, so that they don’t leave you in a bind if you’re hit. At least the most valuable data should also be stored off-line.
Reduce the attack surface by disabling or uninstalling any unnecessary software or services. Notably, as remote access services are often the primary vector for many ransomware attacks, you would be well advised to disable internet-facing RDP entirely or at least limit the number of people allowed remote access to the firm’s servers over the internet.
Never underestimate the value of a reputable, multilayered security solution. Besides your employees, it is your first line of defense that you should have up and running to protect you against all manner of threats, not ‘just’ ransomware attacks. Also, make sure the product is patched and up-to-date.
Demirkapi shows how drivers can be misused for deep pwnage
DEF CON Writing a successful Windows rootkit is easier than you would think. All you need is do is learn assembly and C/C++ programming, plus exploit development, reverse engineering, and Windows internals, and then find and abuse a buggy driver, and inject and install your rootkit, and bam. Happy days.
Alternatively, write your own malicious driver, sign it with a stolen or leaked certificate or your own paid-for cert so that Windows trusts it, and load it.
This is according to undergraduate bug-hunter Bill Demirkapi in a talk he gave at the now-virtual DEF CON hacking conference, which you can watch below. He told the web audience on Thursday many common Windows drivers provide the conduit rootkit writers need to compromise PCs at a level most antivirus can’t or won’t reach.
A rootkit is a type of malware that, once it has gained all-controlling kernel-level access on a machine, modifies the system to ensure it retains that power while remaining out of sight of users, and ideally the operating system and any installed antivirus. Thus any subsequent malicious code launched by the rootkit inherits its high privileges, allowing it to snoop on the PC, steal passwords, and so on.
The trick to pulling this off is gaining code execution at an administrator or kernel level – and leveraging that to hook into the OS and stay out of sight. One way of doing this is by exploiting security flaws in drivers that wind up granting normal applications that level of access, or by exploiting the dozens of elevation-of-privilege flaws Microsoft patches every month in its software.
“There are a lot of publicly available vulnerable drivers out there,” said Demirkapi, “and with some reversing knowledge, finding your own zero-day [vulnerability] in one of these drivers can be trivial.”
Demirkapi gave the infamous Capcom driver as an example of insecure kernel-level software that can be tricked into granting any application-level code complete control over a machine. Some of these buggy driver APIs require administrator privileges to exploit, though. The holy grail is one that grants, on x86 machines, unprivileged ring-3 code unhindered ring-0 code execution.
Another way into the kernel is to write your own malicious driver, sign it with a stolen or leaked code-signing certificate or a paid-for one, and load it. Antivirus tools pretty much leave kernel drivers alone and focus on application-level software, and the operating system is rather lax in checking certs are legit. If you use a certificate you’ve paid for, the rootkit can be traced back to you, if or when it’s discovered.
Using a signed malicious driver is a more stable route into the heart of Windows, as exploiting vulnerable drivers requires tailoring your exploit code for particular versions and conditions.
However you manage it, from there it’s just a matter of opening a stealthy connection to a remote command’n’control server and phoning home for instructions, if necessary, while blending in with the noise on the system and hooking into the OS to intercept operations, such as file access. The rootkit should also ensure it runs all the time so that it doesn’t lose control of the box, and blocks attempts by security tools to uncover it.
It’s not impossible for antivirus to detect these sorts of rootkits, we’re told, though it will involve monitoring all the points where the the malware can insert its tentacles into the operating system. “It’s going to be pretty expensive, because an antivirus would need to replicate our hooking procedure,” the Trend Micro driver botherer said.
The European Union on Thursday slapped sanctions on six people and three organizations, including Russia’s military intelligence agency, accusing them of responsibility for several cyber-attacks that threatened EU interests.
EU headquarters said in a statement that those targeted include people considered to be involved in the 2017 “WannaCry” ransomware attack, the “NotPetya” strike that notably caused havoc in Ukraine, and the “Operation Cloud Hopper” hacking campaign.
The sanctions are the first that the EU has ever imposed for cyber-attacks.
A threat actor is flooding a hacker forum with databases exposing expose over 386 million user records that they claim were stolen from eighteen companies during data breaches.
Rite Aid used facial recognition in largely lower-income, non-white neighborhoods. The systems included one from a firm with links to China and its government
Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems according to ISO/IEC 27701 in combination with ISO/IEC 27001 (DRAFT)
Within a year or so, organisations will be able to have their Privacy Information Management Systems certified compliant with ISO/IEC 27701, thanks to a new accreditation standard ISO/IEC TS 27006 part 2, currently in draft.
“Potentially, a PIMS certificate may become the generally-accepted means of demonstrating an organisation’s due care over privacy and personal data protection – a way to assure data subjects, business partners, the authorities and courts that they have, in fact, adopted good privacy practices.”
ISO/IEC 27006 | Wikipedia audio article
httpv://www.youtube.com/watch?v=3Bd_VXgmZ_o
Names, credit card data, addresses, and information on transactions as recent as yesterday are being sold online.
As of Wednesday, sellers in two dark web stores were offering information from what appeared to be 278,531 accounts, although some of those may be duplicates or not genuine. As of April, Instacart had “millions of customers across the US and Canada,” according to a company spokesperson.
