Security Roundup - We Are All Screwed - Apache Struts 2 - KediRAT - UNITEDRAKE

[FrgMstr]

Have you been keeping up with the latest and "greatest" security threats? Surely you heard about Equifax screwing 143 million pooches last week, right? HardOCP security staff tells us that Apache Struts 2 is behind all that, and it is super easy to pull off. You can read more about that here, or just watch a video with nice soothing music that plays while your bank accounts are being comprised.

Check out the video.

Tons of new malware strains are now being introduced that use Gmail as the host, which makes it extremely hard to detect in an environment outside of the Google network. Get you some Kedi RAT that poses as a nice Citrix file. Clicker beware!

And finally Shadow Brokers dropped a new NSA hacking tool last week; UNITEDRAKE. While not good, not near as bad as what we have seen in the past. Here is the full documentation (PDF) should you want to play with it in your own sandbox.

 

[Azrak]

Offtopic: I love the 82 C temperature on the bottom bar of the presenter's machine. Yikes!

Ontopic: Scary stuff. I was wondering if this was the reason for the Equifax hack when it was first announced. There's gotta be more hacks coming from this exploit....

 

[Deleted member 93354]

Thank fucking you NSA

 

[Deleted member 93354]

So is the fix for Apache known yet?

 

[Schtask]

So is the fix for Apache known yet?

Yes.

Apache recommends removing the REST plugin if not in use. If your site is using XML for data exchange you should probably move back to JSON.

Apache has released a couple of patches that address this specific vulnerability for struts depending on if you are running 2.5 or 2.3.

Patch Links:
2.5.13
2.3.34

 

[ChoGGi]

More quality Equifax security measures (admin/admin as login):
https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/

"From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records."



Edit: I thought people weren't sure about Struts vulnerabilities being responsible?
http://www.zdnet.com/article/equifa...ware-for-its-record-breaking-security-breach/
"A new and significant Struts security problem was uncovered on September 5. But, while some jumped on this as the security hole immediately, there was one little problem with that theory. Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed.

It's far more likely that -- if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts, first patched in March.

If that's the case, is it the fault of Struts developers or Equifax's developers, system admins, and their management?"

 

[atp1916]

Some shops / enterprises still use Struts??

There's this awesome framework called Spring.

It's real nice.

 

[viscountalpha]

I'm reminded why I turn off my pc when I'm not live at the desktop.

 

[gamerk2]

If it's connected to the Internet, it's not secure.

Been saying this for years; we've traded security for convenience, and you're starting to see the effects. As business will never willingly adopt the necessary security measures (too expensive), you'd need to Feds to set minimum standards, but given 50% of the country will automatically oppose such an action (GOVERNMENT REGULATIONS!!!!!) that will never happen in reality. This is going to happen more and more and more.

Awaiting the day Paypal gets hit; that's the big elephant in the room.

 

[iamjanco]

Security experts have known about the vulnerabilities for some time now. Unfortunately, their demographics include those who hack for a living:

 

[Romale23]

If it's connected to the Internet, it's not secure.

Been saying this for years; we've traded security for convenience, and you're starting to see the effects. As business will never willingly adopt the necessary security measures (too expensive), you'd need to Feds to set minimum standards, but given 50% of the country will automatically oppose such an action (GOVERNMENT REGULATIONS!!!!!) that will never happen in reality. This is going to happen more and more and more.

Awaiting the day Paypal gets hit; that's the big elephant in the room.

You don't need government standards on anything, you better liability laws. In other words. Equifax is now responsible for any economic damage that can be linked(loosely, in other words, just using information that was leaked in the leak) to their breach for the life of everyone whose data was stolen. Shit will be solved over night.

 

[Ordeith]

Best not to use Apache.

 

[ChoGGi]

https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832
So, the exploit (CVE-2017-5638) was disclosed March 10, the unauthorized access happened from May 13 through July 30 (rather than the CVE-2017-9805 mentioned from the securityweek article).
Oh, and Equifax has let go of their CSO, who happens to have a liberal arts degree (music major)