Security News: Hackers Aim Ransomware at Big Cos., as Experts Call for Swift Patching of Struts Bug


Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability -- but scarier than last year’s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention. ### New Struts Bug Should Be Patched Yesterday ![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-logo-300x150.png)Apache patched a serious remote code execution vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) affecting all supported versions -- 2.3 to 2.3.34 and 2.5 to 2.5.16 -- of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax. In the Apache [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-057>), the vulnerability is rated “Critical” and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17. The remote code execution becomes possible “when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace” and “when using url tag which doesn’t have value and action set,” the bulletin reads. Organizations should upgrade to the patched Struts versions even if their applications aren’t vulnerable to this bug. “An inadvertent change to a Struts configuration file may render the application vulnerable in the future,” [stated](<https://semmle.com/news/apache-struts-CVE-2018-11776>) Semmle, whose security researcher Man Yue Mo discovered this vulnerability. Upgrading should take first priority, considering that Struts is widely used for public web apps, vulnerable systems are easy to identify, and the bug is easy to exploit, according to the company. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk,” said Pavel Avgustinov, a Semmle VP. Writing in the Qualys blog, Product Management Director Jimmy Graham [noted](<https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776>) that the vulnerability does not exist with a default configuration of Struts, but that “it does exist in commonly seen configurations for some Struts plugins.” “Due to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2,” Graham wrote. Qualys has defined two QIDs to detect this vulnerability (QID 13251 and QID 371151), and created dynamic [dashboards](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776?_ga=2.73902801.230834091.1535379602-620242525.1458325156>) to visualize it. ![](https://blog.qualys.com/wp-content/uploads/2018/08/struts-dashboard-2018.png) Graham also describes how the Qualys Web Application Firewall (WAF) can mitigate the vulnerability. More information: [Apache Struts 2 namespace Remote Code Execution Vulnerability: CVE-2018-11776](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/?_ga=2.140995313.230834091.1535379602-620242525.1458325156>) _(Qualys)_ [Apache Struts 2 Flaw Uncovered: ‘More Critical Than Equifax Bug’](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>) _(ThreatPost)_ [Admins Urged: Stop Everything and Patch New Apache Struts Flaw](<https://www.infosecurity-magazine.com/news/admins-stop-everything-patch/>) _(InfoSecurity)_ [Experts Urge Rapid Patching of ‘Struts’ Bug](<https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/>) _(Krebs on Security)_ [PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) _(ThreatPost)_ ### Ransomware Campaign Attacks Selected Organizations ![](https://blog.qualys.com/wp-content/uploads/2018/08/ransomware-2320941_1280-600x400.jpg)Cyber thieves recently began attacking handpicked corporations with ransomware and demanding skyhigh bitcoin payments. The criminals are deliberately targeting specific large businesses, and they’re using ransomware called Ryuk that’s designed for tailored attacks. They reportedly netted more than $600,000 during the campaign’s first two weeks. “Its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers,” CheckPoint researchers [wrote](<https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/>). The implication is that prior to each attack, “extensive network mapping, hacking and credential collection” is conducted by the miscreants, believed to have ties to the notorious hacker collective Lazarus Group and be experienced in targeted attacks, according to the researchers. More information: [This new ransomware campaign targets business and demands a massive bitcoin ransom](<https://www.zdnet.com/article/this-new-ransomware-campaign-targets-business-and-demands-a-massive-bitcoin-ransom/>) _(ZDnet)_ [Ryuk Ransomware Emerges in Highly Targeted, Highly Lucrative Campaign](<https://threatpost.com/ryuk-ransomware-emerges-in-highly-targeted-highly-lucrative-campaign/136755/>) _(ThreatPost)_ [Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge](<https://www.bleepingcomputer.com/news/security/ryuk-ransomware-crew-makes-640-000-in-recent-activity-surge/>) _(BleepingComputer)_ ### T-Mobile Hacked, Millions Affected Personal information of 2 million T-Mobile customers, [including encrypted passwords](<https://motherboard.vice.com/en_us/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data>), may have been accessed by hackers via a breached API on August 20. The compromised data may have included names, billing zip codes, phone numbers, email addresses, and account numbers, but not financial information nor Social Security numbers, [according to the company](<https://www.t-mobile.com/customers/6305378821>). T-Mobile hasn’t provided further details on the nature of the attack. On related news, customer security PINs from T-Mobile and AT&T were found to be accessible due to unrelated flaws in partners’ websites, [according to BuzzFeed](<https://www.buzzfeednews.com/article/nicolenguyen/tmobile-att-account-pin-security-flaw-apple>). Apple’s online store exposed the T-Mobile data, while the website of phone insurance company Asurion exposed AT&T’s data. Both companies fixed the flaws after being alerted to them. Access to a mobile account PIN could let a hacker “easily commandeer your phone number and use it to trick the SMS-based authentication designed to verify your identity when you log on to your bank, email provider, or social media accounts,” wrote Nicole Nguyen in BuzzFeed. Meanwhile, a security researcher was able to [enter a Sprint employee portal](<https://techcrunch.com/2018/08/25/hacker-accessed-sprint-portal-customer-data/>) protected by weak credentials, and said customer data could have been accessed. More information: [Passwords Part of Data Breach, T-Mobile Admits: What to Do Now](<https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html>) _(Tom’s Guide)_ [Why T-Mobile's Data Breach Should Be a Wake-Up Call](<https://www.fool.com/investing/2018/08/27/why-t-mobiles-data-breach-should-be-a-wake-up-call.aspx>) _(Motley Fool)_ [2 Million T-Mobile Customers Are Hit by a Data Breach](<https://www.consumerreports.org/privacy/2-million-t-mobile-customers-hit-by-data-breach/>) _(Consumer Reports)_ [Security researchers found vulnerabilities at AT&T, T-Mobile, and Sprint that could have exposed customer data](<https://www.theverge.com/2018/8/25/17781906/att-tmobile-sprint-security-vulnerabilities-customer-information>) _(The Verge)_ [T-Mobile, AT&T customer account PINs were exposed by website flaws](<https://www.engadget.com/2018/08/25/t-mobile-att-pin-vulnerability/>) _(Engadget)_ ### Android Malware Records Calls, Takes Videos ![](https://blog.qualys.com/wp-content/uploads/2018/08/Android-logo-300x188.png)Malware that infects Android devices and conducts extensive snooping has been discovered bundled in a malicious app that mimics a legitimate one. Called Triout, the spyware stealthily can record phone calls, log incoming text messages, take videos, snap photos, collect location data and transmit everything it collects to a command and control center, [according to Bitdefender](<https://www.bitdefender.com/files/News/CaseStudies/study/234/Bitdefender-Whitepaper-Triout-The-Malware-Framework-for-Android-That-Packs-Potent-Spyware-Capabilities.pdf>), which discovered it. “The malware was first observed lurking in an app, repackaged to look identical to a legitimate Android app called ‘Sex Game.’ It was available in the Google Play store starting in 2016, but has since been removed,” a ThreatPost [article](<https://threatpost.com/triout-malware-carries-out-extensive-targeted-android-surveillance/136773/>) reads. More information: [Android 'Triout' spyware records calls, sends photos and text messages to attackers](<https://www.csoonline.com/article/3299700/security/android-triout-spyware-records-calls-sends-photos-and-text-messages-to-attackers.html>) _(CSO)_ [This Android spyware records calls and sends your pictures and location to hackers](<https://www.zdnet.com/article/android-spyware-malware-records-calls-and-sends-your-pictures-to-hackers/>) _(ZDnet)_ [New Android Triout Malware Can Record Phone Calls, Steal Pictures](<https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/>) _(BleepingComputer)_ ### In Other News … * Cyber thieves [stole](<https://cheddars.com/customer-notification/>) payment card information from Cheddar’s Scratch Kitchen restaurants in 23 U.S. states for two months late last year, potentially affecting [almost 600,000 customers](<https://www.prnewswire.com/news-releases/notice-of-unauthorized-access-to-cheddars-scratch-kitchen-guest-data-300701161.html>). * Apple was hacked by a 16-year old Australian boy who told authorities he [dreamed of working](<https://hotforsecurity.bitdefender.com/blog/apple-hacked-by-16-year-old-who-dreamed-of-working-for-firm-20254.html>) at the company. * Adobe issued [out-of-band fixes](<https://helpx.adobe.com/security/products/photoshop/apsb18-28.html>) for remote code execution vulnerabilities in Photoshop CC, barely a week after its scheduled monthly set of patches. * Spyfone, a company that lets parents and employers monitor mobile devices, left an AWS S3 storage bucket unprotected, [exposing all manner of personal data](<https://motherboard.vice.com/amp/en_us/article/9kmj4v/spyware-company-spyfone-terabytes-data-exposed-online-leak>) from thousands of customers.