Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers.

Apache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS.

The vulnerability (CVE-2018-11776) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations.

The newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application.

Struts2 Vulnerability – Are You Affected?

All applications that use Apache Struts—supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions—are potentially vulnerable to this flaw, even when no additional plugins have been enabled.

images from Hacker News

Security researchers have uncovered a new, powerful Android malware framework that is being used by cybercriminals to turn legitimate apps into spyware with extensive surveillance capabilities—as part of what seems to be a targeted espionage campaign.

Legitimate Android applications when bundled with the malware framework, dubbed Triout, gain capabilities to spy on infected devices by recording phone calls, and monitoring text messages, secretly stealing photos and videos, and collecting location data—all without users’ knowledge.

The strain of Triout-based spyware apps was first spotted by the security researchers at Bitdefender on May 15 when a sample of the malware was uploaded to VirusTotal by somebody located in Russia, but most of the scans came from Israel.

In a white paper (PDF) published Monday, Bitdefender researcher Cristofor Ochinca said the malware sample analysed by them was packaged inside a malicious version of an Android app which was available on Google Play in 2016 but has since been removed.

The malware is extremely stealthy, as the repackaged version of the Android app kept the appearance and feel of the original app and function exactly like it—in this case, the researcher analysed an adult app called ‘Sex Game’— to trick its victims.

However, in reality, the app contains a malicious Triout payload that has powerful surveillance capabilities which steal data on users and sends it back to an attacker-controlled command and control (C&C) server.

According to the researcher, Triout can perform many spying operations once it compromises a system, including:

• Recording every phone call, saving it in the form of a media file, and then sending it together with the caller id to a remote C&C server.
• Logging every incoming SMS message to the remote C&C server.
• Sending all call logs (with name, number, date, type, and duration) to the C&C server.
• Sending every picture and video to the attackers whenever the user snaps a photo or record video, either with the front or rear camera.
• Capability to hide itself on the infected device.

But despite the powerful capabilities of the malware, the researchers found that the malware does not use obfuscation, which helped the researchers get full access to its source code by merely unpacking the APK file—suggesting the malware is a work-in-progress.

images from Hacker News

Facebook yesterday removed its mobile VPN app called Onavo Protect from the iOS App Store after Apple declared the app violated the iPhone maker’s App Store guidelines on data collection.

For those who are unaware, Onavo Protect is a Facebook-owned Virtual Private Network (VPN) app that was primarily designed to help users keep tabs on their mobile data usage and acquired by Facebook from an Israeli analytics startup in 2013.

The so-called VPN app has been the source of controversy earlier this year, when the social media giant offered it as a free mobile VPN app, promised to “keep you and your data safe when you browse and share information on the web.”

However, Onavo Protect became a data collection tool for the Facebook helping company to track smartphone users’ activities across multiple different applications to learn insights about how Facebook users use third-party apps.

Why Did Apple Remove Facebook’s Free VPN App?

Now according to a new report from Wall Street Journal, Apple informed Facebook earlier this month that Onavo Protect violated its new App Store Guidelines, implemented in June restricting app developers from creating databases out of user information and sell it to third parties.

A discussion between Apple and Facebook about the app occurred last week, and Apple reportedly suggested Facebook to “voluntarily” remove Onavo Protect from the App Store, to which Facebook agreed.

images from Hacker News

A former NSA contractor, who pleaded guilty to leaking a classified report on Russian hacking of the 2016 U.S. presidential election to an online news outlet last year, has been sentenced to five years and three months in prison.

Reality Winner, a 26-year-old Georgia woman who held a top-secret security clearance and worked as a government contractor in Georgia with Pluribus International, initially faced 10 years in prison and a $250,000 fine.

However, in the U.S. District Court in Augusta, Georgia on Thursday, Winner agreed to a plea agreement that called for five years and three months in prison with three years of supervision after release.

Back in May 2017, Winner printed out a top-secret document detailing about the Russian hacking into U.S. voting systems, smuggled the report out of the agency in her underwear, and then mailed it anonymously to The Intercept.

The Intercept, an online publication that has been publishing classified NSA documents leaked by Edward Snowden since 2014, later published the five-page report provided by Winner on its website.

The leaked report claimed in August 2016, Russia’s military intelligence agency GRU “executed a cyber attack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials days before [the] election,” revealing U.S. intelligence agencies knew of Russia’s efforts to hack into its voting systems.

Winner was caught after The Intercept apparently contacted NSA officials and turned over a copy of the report to verify its authenticity while asking for comment before publishing its report.

That gave the government the idea that the classified report was had been printed out and stolen from its facility. The officials then used “microdots” (nearly invisible yellow dots) on the printout to identify the exact printer where the document was printed.

images from Hacker News

T-Mobile today confirmed that the telecom giant suffered a security breach on its US servers on August 20 that may have resulted in the leak of “some” personal information of up to 2 million T-Mobile customers.

The leaked information includes customers’ name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid).

However, the good news is that no financial information like credit card numbers, social security numbers, or passwords, were compromised in the security breach.

According to a brief blog post published by the company detailing the incident, its cybersecurity team detected and shut down an “unauthorised capture of some information” on Monday, August 20.

Although the company has not revealed how the hackers managed to hack into its servers neither it disclosed the exact number of customers affected by the data breach, a T-Mobile spokesperson told Motherboard that less than 3 percent of its 77 million customers were affected.

The spokesperson also said that unknown hackers part of “an international group” managed to access T-Mobile servers through an API that “didn’t contain any financial data or other very sensitive data,” adding “We found it quickly and shut it down very fast.”

T-Mobile said the company informed law enforcement about the security breach and is reaching out to its affected customers directly via SMS message, letter in the mail, or a phone call to notify them as well.

images from Hacker News