image
Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as CVE-2019-0230 and CVE-2019-0233. Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team. Struts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. Researchers have warned of outdated installations of Apache Struts 2 and that if left unpatched they can open the door to more critical holes similar to bug at the root of the massive Equifax breach, which was also an Apache Struts 2 flaw (CVE-2017-5638). PoC Released to GitHub The proof-of-concept (PoC) released this week raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and…

Source

image
A campaign aimed at Mac users is spreading the XCSSET suite of malware, which has the capability to hijack the Safari web browser and inject various JavaScript payloads that can steal passwords, financial data and personal information, deploy ransomware and more. Infections are propagating via Xcode developer projects, researchers noted; the cybercriminals behind the campaign are injecting the malware into them, according to Trend Micro. Xcode consists of a suite of free, open software development tools developed by Apple for creating software for macOS, iOS, iPadOS, watchOS and tvOS. Thus, any apps built on top of the projects automatically include the malicious code. The initial discovery of the threat came when “we learned that a developer’s Xcode project at large contained the source malware — which leads to a rabbit hole of malicious payloads,” according to an analysis [PDF] from Trend Micro, released on Friday. “The threat escalates when affected developers share their projects via platforms such as GitHub, leading to a supply-chain-like attack for users who rely on these repositories as dependencies in their own projects. We have also identified this threat in other sources including VirusTotal and Github, which indicates this threat is at large.” The initial payload tucked into the projects comes in the form of a Mach-O executable. The researchers were able to trace an infected project’s Xcode work data files and found a hidden folder containing Mach-O, located in…

Source

image
R1 RCM Inc. [NASDAQ:RCM], one of the nation's largest medical debt collection companies, has been hit in a ransomware attack. Formerly known as Accretive Health Inc., Chicago-based R1 RCM brought in revenues of $1.18 billion in 2019. The company has more than 19,000 employees and contracts with at least 750 healthcare organizations nationwide. R1 RCM acknowledged taking down its systems in response to a ransomware attack, but otherwise declined to comment for this story. The "RCM" portion of its name refers to "revenue cycle management," an industry which tracks profits throughout the life cycle of each patient, including patient registration, insurance and benefit verification, medical treatment documentation, and bill preparation and collection from patients. The company has access to a wealth of personal, financial and medical information on tens of millions of patients, including names, dates of birth, Social Security numbers, billing information and medical diagnostic data. It's unclear when the intruders first breached R1's networks, but the ransomware was unleashed more than a week ago, right around the time the company was set to release its 2nd quarter financial results for 2020. R1 RCM declined to discuss the strain of ransomware it is battling or how it was compromised. Sources close to the investigation tell KrebsOnSecurity the malware is known as Defray. Defray was first spotted in 2017, and its purveyors have a history of specifically targeting companies in…

Source

image
A plugin that is designed to add quizzes and surveys to WordPress websites has patched two critical vulnerabilities. The flaws can be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites. The plugin, Quiz and Survey Master, is actively installed on over 30,000 websites. The two critical flaws discovered by researchers include an arbitrary file-upload vulnerability, ranking 10 out of 10 on the CVSS scale; as well as an unauthenticated arbitrary file deletion error, ranking 9.9 out of 10. A patch is available for both issues in version 7.0.1 of the plugin, said the researchers with Wordfence who discovered the flaws, in a Thursday post. “The unauthenticated arbitrary file-deletion vulnerability that was present in the plugin is pretty significant,” Chloe Chamberland, threat analyst with Wordfence, told Threatpost. “Any of the 30,000 sites running the plugin are subject to any file being deleted (granted they are running a vulnerable version), which includes the wp-config.php file, by unauthenticated site users.” The two vulnerabilities stemmed from a feature in the plugin that enables site owners to implement file uploads as a response type for a quiz or survey. For instance, if a website has a job-application questionnaire, the feature gives users the option to upload a PDF resume at the end. Researchers found that this feature was insecurely implemented: “The check to verify file type only looked at the…

Source

image
Instagram kept copies of deleted pictures and private direct messages on its servers even after someone removed them from their account. The Facebook-owned service acknowledged the slipup and awarded a security researcher $6,000 for finding the bug. Researcher Saugat Pokharel discovered the vulnerability when he downloaded his data last year from the photo-sharing app, according to a report on TechCrunch. The data included photos and private messages that he’d previously deleted, alerting him to a problem, he said. “Instagram didn’t delete my data even when I deleted them from my end,” Pokharel told TechCrunch. When he realized this, he reported the bug in October 2019 to Instagram through its bug bounty program, Pokharel said. He told TechCrunch that Instagram fixed the bug earlier this month. The flaw was in a feature that Instagram launched in 2018 in response to the European General Data Privacy Regulation (GDPR), which requires any companies operating in Europe to notify the authorities within 72 hours of confirming a data breach or face stiff financial penalties. The GDPR, which went into effect on May 25, 2018, also has a data portability component requiring companies to give people access to their data. Instagram’s feature allowing people to download their data came on the heels of its parent company Facebook providing a similar feature for its platform. The flaw is not the first time Instagram has been found saving people’s data even after they thought they…

Source

image
The U.S. government is warning of new malware, dubbed Drovorub, that targets Linux systems. It also claims the malware was developed for a Russian military unit in order to carry out cyber-espionage operations. The malware, Drovorub, comes with a multitude of espionage capabilities, including stealing files and remotely controlling victims’ computers. The malware is sophisticated and is designed for stealth, leveraging advanced “rootkit” technologies that make detection difficult. According to a Thursday advisory by the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), the malware especially represents a threat to national security systems such as the Department of Defense and Defense Industrial Base customers that use Linux systems. “Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server,” according to a 45-page deep-dive analysis of the malware published Thursday [PDF] by the FBI and NSA. “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network.” Despite the in-depth report, the FBI and NSA did not detail how the initial attack vector for the malware occurs. The report also…

Source

image
The China-based APT known as CactusPete has returned with a new campaign aimed at military and financial targets in Eastern Europe, which is a new geography for the group’s victimology, according to researchers. The group also used a fresh variant of the Bisonal backdoor, which allows the attackers to steal information, execute code on target machines and perform lateral movement inside a network. The activity, which Kaspersky tracked through the end of April, involved multiple sample versions of Bisonal, though these were nearly identical to each other. The samples have been compiled rapidly, with more than 20 of them per month appearing in the wild, the firm found. “This underlines the speed of CactusPete’s development,” noted Kaspersky researcher Konstantin Zykov, in a blog post on Thursday. He added that the backdoor was likely delivered to targets via spear-phishing emails with attachments containing exploits for known vulnerabilities, according to the analysis. On the technical side, the malware is fairly straightforward: Once the malware executes, it connects to a hard-coded command-and-control server (C2) using unmodified HTTP-based protocol. “The request-and-response body are RC4-encrypted, and the encryption key is also hardcoded into the sample,” according to Zykov. “As the result of the RC4 encryption, it may contain binary data, [and] the malware additionally encodes it in Base64, to match the HTTP specification.” Once attached to the C2, Bisonal harvests…

Source

image
Video-conferencing behemoth Zoom has been hit with yet another lawsuit stemming from its claim to offer end-to-end encryption for sessions. The suit, filed in a Washington D.C. court [PDF] this week by a nonprofit advocacy group called Consumer Watchdog, alleges that the company falsely told users that it offers full encryption. Zoom previously said that it offered end-to-end encryption, but that marketing claim came into question after a report from The Intercept said that Zoom’s platform actually uses transport layer security (TLS) encryption, providing only encryption between individual users and service providers instead of encrypting communication directly between the users of a system. That, in theory, would allow the service to access user data if it chose to and leave it open to potential eavesdropping by a determined third-party. In contrast,_ e_nd-to-end encryption occurs when traffic is encrypted at the source user’s device, stays encrypted while its routed through servers and then is decrypted only at the destination user’s device. “Zoom repeated its end-to-end encryption claims throughout its website, in white papers—including in its April 2020 HIPAA Compliance Guide—and on the user interface within the app,” the suit alleges. Thus, the court documents claim that the company violated D.C.’s Consumer Protection Procedures Act (CPPA) and “lulled consumers and businesses into a false sense of security.” The suit is asking for an injunction against Zoom to prevent…

Source

image
A newly released threat report, tracking the biggest trends in the cybercriminal landscape, shows that attackers have been capitalizing on the global pandemic in various ways – from ransomware to web-based malware. Derek Manky Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet’s FortiGuard Labs, said that the semi-annual FortiGuard Labs Global Threat Landscape Report [PDF] for the first half of 2020, released Wednesday, illustrates an “unprecedented cyber threat landscape.” “This [report] is particularly significant,” he said. “Typically, we see large threat movements over the course of years, but we’ve seen that in the course of six months now, thanks to the new normal of the global pandemic.” For instance, the perimeter has rapidly extended to the home with more employees working remotely, and “as people and technology shift so too do the cybercriminals,” said Manky, with cybercriminals launching a slew of web based and browser attacks. In this week’s Threatpost podcast, Manky talks about the biggest takeaways from FortiGuard Labs’ recent report – including a spike in ransomware, operational technology (OT) security issues and more. Listen to the full podcast below or download direct here. […

Source

image
Researchers have discovered an attack on the Voice over LTE (VoLTE) mobile communications protocol that can break its encryption and allow attackers to listen in on phone calls. Dubbed ReVoLTE, the attack — detailed by a group of academic researchers from Ruhr University Bochum and New York University Abu Dhabi — exploits an implementation flaw in the LTE cellular protocol that exists at the level of a mobile base station. ReVoLTE makes use of a predictable keystream reuse, a scenario in encryption in which stream ciphers, or encryption keys, are vulnerable to attack if the same key is used in a predictable fashion.can allow threat actors to recover the contents of an encrypted VoLTE call. “Eventually, the keystream reuse allows an adversary to decrypt a recorded call with minimal resources,” researchers David Rupprecht, Katharina Kohls, Thorsten Holz and Christina Pöpper wrote, in a paper detailing the attack.” The attack is novel in that standard cellular protocols typically aren’t targeted for hacking because researchers “never have the energy to deal with” the legwork involved of untangling the pages of documentation about the standard itself, according to cryptographer and Johns Hopkins University Professor Matthew Green. “Moreover, implementing the attacks requires researchers to mess with gnarly radio protocols,” he wrote in a blog post about the research. “And so, serious cryptographic vulnerabilities can spread all over the world, presumably only exploited by…

Source