Security Roundup - We Are All Screwed - Apache Struts 2 - KediRAT - UNITEDRAKE

Discussion in '[H]ard|OCP Front Page News' started by Kyle_Bennett, Sep 13, 2017.

  1. Kyle_Bennett

    Kyle_Bennett El Chingón Staff Member

    Messages:
    47,585
    Joined:
    May 18, 1997
    Have you been keeping up with the latest and "greatest" security threats? Surely you heard about Equifax screwing 143 million pooches last week, right? HardOCP security staff tells us that Apache Struts 2 is behind all that, and it is super easy to pull off. You can read more about that here, or just watch a video with nice soothing music that plays while your bank accounts are being comprised.

    Check out the video.

    Tons of new malware strains are now being introduced that use Gmail as the host, which makes it extremely hard to detect in an environment outside of the Google network. Get you some Kedi RAT that poses as a nice Citrix file. Clicker beware!

    And finally Shadow Brokers dropped a new NSA hacking tool last week; UNITEDRAKE. While not good, not near as bad as what we have seen in the past. Here is the full documentation (PDF) should you want to play with it in your own sandbox.
     
    scojer and Q-BZ like this.
  2. Azrak

    Azrak Limp Gawd

    Messages:
    506
    Joined:
    Oct 4, 2015
    Offtopic: I love the 82 C temperature on the bottom bar of the presenter's machine. Yikes!

    Ontopic: Scary stuff. I was wondering if this was the reason for the Equifax hack when it was first announced. There's gotta be more hacks coming from this exploit....
     
  3. DigitalGriffin

    DigitalGriffin 2[H]4U

    Messages:
    3,436
    Joined:
    Oct 14, 2004
  4. DigitalGriffin

    DigitalGriffin 2[H]4U

    Messages:
    3,436
    Joined:
    Oct 14, 2004
    So is the fix for Apache known yet?
     
  5. Schtask

    Schtask Limp Gawd

    Messages:
    354
    Joined:
    Nov 29, 2011
    Yes.

    Apache recommends removing the REST plugin if not in use. If your site is using XML for data exchange you should probably move back to JSON.

    Apache has released a couple of patches that address this specific vulnerability for struts depending on if you are running 2.5 or 2.3.

    Patch Links:
    2.5.13
    2.3.34
     
    DigitalGriffin likes this.
  6. ChoGGi

    ChoGGi Gawd

    Messages:
    875
    Joined:
    May 7, 2005
    More quality Equifax security measures (admin/admin as login):
    https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

    "From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records."



    Edit: I thought people weren't sure about Struts vulnerabilities being responsible?
    http://www.zdnet.com/article/equifa...ware-for-its-record-breaking-security-breach/
    "A new and significant Struts security problem was uncovered on September 5. But, while some jumped on this as the security hole immediately, there was one little problem with that theory. Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed.

    It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March.

    If that's the case, is it the fault of Struts developers or Equifax's developers, system admins, and their management?"
     
    Last edited: Sep 13, 2017
  7. atp1916

    atp1916 2[H]4U

    Messages:
    2,528
    Joined:
    Jun 18, 2004
    Some shops / enterprises still use Struts??

    There's this awesome framework called Spring.

    It's real nice.
     
  8. viscountalpha

    viscountalpha [H]ard|Gawd

    Messages:
    1,988
    Joined:
    Oct 16, 2011
    I'm reminded why I turn off my pc when I'm not live at the desktop.
     
  9. gamerk2

    gamerk2 Gawd

    Messages:
    956
    Joined:
    Jul 9, 2012
    If it's connected to the Internet, it's not secure.

    Been saying this for years; we've traded security for convenience, and you're starting to see the effects. As business will never willingly adopt the necessary security measures (too expensive), you'd need to Feds to set minimum standards, but given 50% of the country will automatically oppose such an action (GOVERNMENT REGULATIONS!!!!!) that will never happen in reality. This is going to happen more and more and more.

    Awaiting the day Paypal gets hit; that's the big elephant in the room.
     
  10. iamjanco

    iamjanco [H]Lite

    Messages:
    102
    Joined:
    Jul 8, 2016
    Security experts have known about the vulnerabilities for some time now. Unfortunately, their demographics include those who hack for a living:

     
  11. Romale23

    Romale23 Gawd

    Messages:
    880
    Joined:
    Dec 12, 2006
    You don't need government standards on anything, you better liability laws. In other words. Equifax is now responsible for any economic damage that can be linked(loosely, in other words, just using information that was leaked in the leak) to their breach for the life of everyone whose data was stolen. Shit will be solved over night.
     
  12. Ordeith

    Ordeith Limp Gawd

    Messages:
    368
    Joined:
    May 30, 2013
    Best not to use Apache.
     
  13. ChoGGi

    ChoGGi Gawd

    Messages:
    875
    Joined:
    May 7, 2005