U.S. credit reporting bureau Equifax confirmed Wednesday that the theft of personal information of more than 143 million consumers from its systems in May was the result of a vulnerability in the Apache Struts framework.
The culprit was not the critical Struts REST plugin vulnerability patched recently, as some unsubstantiated reports suggested over the past week, but an older vulnerability in the Struts Jakarta Multipart parser that was fixed in March. That flaw is tracked as CVE-2017-5638.
Equifax’s admission calls into question the company’s patch management and overall security procedures, because the Jakarta Multipart parser flaw was immediately followed in March by widespread attacks that were highly publicized.
The incident highlights the dangers of not keeping track of the software components running on your systems—especially those that are publicly accessible—and not deploying security patches for those applications in a timely manner.
“Equifax’s overt negligence is undoubtedly reprehensible; however, I think the waterfall of harsh critique also becomes unfair,” said Ilia Kolochenko, CEO of web security firm High-Tech Bridge, via email. “The sad and inconvenient truth is that a majority of large companies have similar challenges, problems and weakness in their cybersecurity. Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months.”
Over the past few years, it has become increasingly clear that companies have very little time to deploy patches before attacks start. In many cases, publicly available exploits appear within hours for newly patched vulnerabilities and are quickly adapted into malicious attacks.
A recent example is CVE-2017-9805, a critical deserialization vulnerability in the Struts framework’s REST plug-in. The flaw was found by researchers from software engineering analytics firm Semmle who worked closely with the Struts developers to coordinate how and when it would be disclosed to the public.
The vulnerability was patched in Struts 2.5.13, which was released Sept. 5, and the Semmle researchers held back from publishing proof-of-concept exploit code to allow users sufficient time to upgrade their deployments. That didn’t help too much because by the next day other people had already figured out the details of the flaw and uploaded an exploit for it to the Metasploit penetration testing framework. A day later, researchers from Cisco Systems’ Talos team started seeing attacks in the wild targeting the vulnerability.
U.S. DHS to Ban Kaspersky Lab Products From Government Computers
The U.S. Department of Homeland Security has ordered all departments and agencies of the federal government’s executive branch to prepare for the removal of products made by Russian security firm Kaspersky Lab from their systems in 90 days.
The order comes after various U.S. government officials have warned over the past few months that allowing software made by the Russian company to run on governmental systems poses a security risk. The main argument seems to be that the firm or its employees might be connected to the Russian intelligence agencies and might be forced to act on their behalf. The company has repeatedly denied such allegations.
“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the DHS said in a press release. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
The DHS’ Binding Operational Directive (BOD) calls for government agencies to identify the presence of Kaspersky Lab products on their systems within 30 days, to create plans for the replacement of such products within 60 days and to begin removing them after 90 days.
“No credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions, including the claims about Russian regulations and policies impacting the company,” Kaspersky Lab said in a press release in response to the DHS order. “Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.”
The company’s CEO, Eugene Kaspersky, believes his company is targeted due to the current geopolitical tensions between the United States and Russia rather than any actual evidence of wrongdoing.
“Perhaps what’s most unsettling of all is that other cybersecurity companies from other countries may soon be in the same position as us,” he said in a blog post. “Geopolitical debates don’t need truth; blame can be assigned by default without any evidence.”
ExpensiveWall Malware Found in Android Apps Downloaded Millions of Times
Security researchers from Check Point Software Technologies found a strain of Android malware they call ExpensiveWall embedded in 50 Android applications that were hosted on Google Play. They estimate the apps have been downloaded between 1 and 4.2 million times.
ExpensiveWall is a new variant of a known Android malware family and its goal is to subscribe victims to paid services and to send unauthorized text messages to premium-rate numbers.
What’s interesting about this threat is that its malicious code was likely integrated into apps as a software development kit (SDK). App developers normally embed SDKs provided by advertising networks or user analytics providers, so it’s not clear if in this case they knew that they were adding malicious functionality to their apps.
Furthermore, according to the Check Point researchers, the ExpensiveWall code was heavily obfuscated, or “packed.” This technique might have been used to hide the code from Google Play’s malware scanner, but also possibly from the app developers themselves.
The incident shows that simply downloading apps from the official app store does not guarantee a malware-free experience for users.