Struts your stuff

You would have to have been very, very busy or spent the last year doing Ibiza and the festival circuit on repeat to have forgotten about the Equifax breach, which saw the details of over 145 million user’s data being stolen in September 2017.

There are a lot of stories about the circumstances that led to the breach, some more reliable than others, what we can all be sure about however, is the fact that a server connected to the Equifax internal network and accessible from t’interwebs was left unpatched and was therefore wide open to a fairly well understood and documented vulnerability in the Apache Struts software components.

Cyber baddies are always on the look-out for unpatched shizzle. The speed with which they start probing targets after a patch is announced is astonishing. It was three days in the case of Equifax, which is a little bit tardy to the two hours we have observed.

Please be very cautions then, if you (or any of your friends) currently run Apache Struts on anything. Be aware that you may not know you are running it if, for instance, it is embedded in the web interface for infrastructure, like err, firewalls, routers and switches.

Why? Because yet another ‘Critical’ Struts vulnerability has been announced, having been researched by a security supremo Man Yue Mo for some time.

If you took the time to read the links above, or to research the issue yourselves, what you will find is that all of the resources a hacker (mwahahaha) would need to exploit this in the wild are out there and beginning to be seen.

So if you are running Apache web servers with Struts enabled, do the decent thing so you avoid being Equifuxed. You will probably see a swathe of updates for the embedded stuff from the usual suspects (Cisco amongst others). Taking a decision on what to patch when should be prioritised on devices with externally available Web connectivity, followed by the rest, it is unwise to let these things lurk around in case a device is repurposed or has another interface connected etc. some time in the future.

If you don’t have Struts anywhere, now might be the time to kick off your Bank Holiday weekend, but only if you are sure, very sure.

If you did us the great honour of reading this blog last week, you may remember our mate Dave (who is still on holiday in Greece, eating lamb and drinking Ouzo). After attempting to defraud Dave, hackers unknown (actually we do know who they are but aren’t saying), used an email account from Dave’s company to register two domains, paid for in Bitcoin. These domains both looked like very real domains with an extra letter in the middle, you know the score.

No real surprise then, to see this week that Microsoft have been blowing their own trumpets (which actually gets harder to do with the new Trumpetv11 package which doesn’t ship with a mouthpiece by default), about taking down Russian attempts to meddle (oh no not again Vlad!) with American Elections, using exactly this same technique. A phishing email directs unsuspecting punter/politician/porn star to a looky-likey site and the hackfest begins.

Anything we can do to undermine and prevent phishing attempts, we should. Technology is important, but as we have said many times before, user training and measurement using simulated attacks are the best tools.

Finding out if bad people are registering names that sound a bit like that of your company and are using them for bad things (that deserves another mwahahaha) is more difficult and is one of the benefits from integrating some threat intelligence services into your security portfolio. In our opinion, knowing if you are a target, or part of a group of targets, or in any way part of any attack chain will become a necessity, not nice to have in the coming years.

You will be unsurprised to know that our relaxed, sun-kissed team is available to help you with any of the issues discussed here. Apart from Dave, nobody can help Dave. Contact us at: [email protected] or call 020 7517 3900 and enjoy the Bank Holiday, reality is just around the corner.