Critical Vulnerability Patched in Apache Struts

The Apache Struts web development framework has received new security updates to address a critical vulnerability that could allow attackers to compromise web applications and servers. Apache Struts is widely used for developing web applications in en… Continue reading Critical Vulnerability Patched in Apache Struts

Critical Apache Struts flaw opens enterprises to compromise, patch ASAP!

A critical remote code execution vulnerability (CVE-2018-11776) in Apache Struts, the popular open source framework for developing Java-based web apps, could allow remote attackers to run malicious code on the affected servers. The vulnerability was di… Continue reading Critical Apache Struts flaw opens enterprises to compromise, patch ASAP!

New critical vulnerability exposes Apache Struts instances to remote attacks

A critical remote code execution vulnerability in Apache Struts, a popular open source web application software framework, allows hackers to take over targeted machines in attacks. The vulnerability (CVE-2018-11776) impacts the software, which is used by an estimated 65 percent of Fortune 100 companies and growing. Tuesday’s vulnerability is credited to insufficient validation of untrusted user data in the core of Struts. The announcement provoked a worried response from information security experts: 100% reliable RCE that where vulnerable targets are probably enumerable via Shodan… PATCH THIS. https://t.co/xj6yJjyjtk — Dino A. Dai Zovi (@dinodaizovi) August 22, 2018 The new Struts vulnerability was identified in April by Man Yue Mo from the Semmle Security Research Team. It was patched in June and publicly announced on Tuesday. Apache Struts users are urged to patch immediately. “Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are […]

The post New critical vulnerability exposes Apache Struts instances to remote attacks appeared first on Cyberscoop.

Continue reading New critical vulnerability exposes Apache Struts instances to remote attacks

New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers

Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers.

Apache Struts is… Continue reading New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers

Equifax CISO Jamil Farshchi’s three-act, ‘shared fate’ security plan

Even in normal times, credit reporting agencies are never among the world’s most admired companies. So it’s easy to see why Equifax’s brand reputation has suffered immensely thanks to the massive breach that saw information on 148 million people taken from the company and two former executives charged with insider trading. New Equifax CISO Jamil Farshchi is working to overcome the “visceral” reaction he’s witnessed post-breach. A veteran of massive rehabilitation efforts via his time spent as CISO at Home Depot, Farshchi is embarking on a plan to move Atlanta-based Equifax beyond its security lapses to a position where the company is actually seen as security leader. In an exclusive interview with CyberScoop, Farshchi describes his “three-act plan” to secure Equifax, which includes having the entire company understand that cybersecurity doesn’t fall to the IT division. “Security isn’t just security’s job,” he said. “Everyone needs to feel it through and […]

The post Equifax CISO Jamil Farshchi’s three-act, ‘shared fate’ security plan appeared first on Cyberscoop.

Continue reading Equifax CISO Jamil Farshchi’s three-act, ‘shared fate’ security plan

Over 10,000 companies downloading software vulnerable to Equifax hack

Even after the massive data breach allowed hackers to steal the personal information of 148 million Equifax customers, thousands of companies are still using the software that made the breach possible.  According to Fortune, Maryland-based cybersecurity firm Sonatype identified as many as 10,801 organizations that have downloaded an old version of Apache Struts — the same free, open-source software that hackers exploited to swipe the names, social security numbers, birthdays, addresses, and other identifiers from Equifax’s databases.  Of the organizations that downloaded the vulnerable version of the software, seven of the businesses were Fortune Global 100 tech companies, eight were Fortune Global 100 automakers, and 15 were Fortune Global 100 financial services or insurance firms, according to Fortune.  The Apache Software Foundation has released seven patched versions of the software since March 2017. Apache Struts is used as an app building tool, and usually as a framework for online payment systems.  […]

The post Over 10,000 companies downloading software vulnerable to Equifax hack appeared first on Cyberscoop.

Continue reading Over 10,000 companies downloading software vulnerable to Equifax hack

Nation state hackers attempted to use Equifax vulnerability against DoD, NSA official says

A government-backed hacking group tried to breach the Department of Defense via the exact same software vulnerability that was used to breach Equifax, an official with the National Security Agency said Tuesday during a speech at the 2018 RSA conference. “The vulnerability that took down Equifax last year when it was released in March, we had a nation-state actor within 24 hours scanning looking for unpatched servers within the DoD,” said David Hogue, a senior technical director for the NSA’s Cybersecurity Threat Operations Center (NCTOC). The malicious activity caught by NSA shows how most attackers, regardless of skill or available resources, will first rely on simplistic and easily accessible methods to compromise their victims. In this case, the attackers relied on a known vulnerability in the Apache Struts software framework to target the DoD. Hogue said that most data breach incidents that are analyzed by his team are caused by phishing […]

The post Nation state hackers attempted to use Equifax vulnerability against DoD, NSA official says appeared first on Cyberscoop.

Continue reading Nation state hackers attempted to use Equifax vulnerability against DoD, NSA official says

The State of Web Application Vulnerabilities in 2017

As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newslett… Continue reading The State of Web Application Vulnerabilities in 2017