Like Equifax, Thousands of Companies Use Vulnerable Apache Struts Versions

U.S. credit monitoring bureau Equifax has been heavily criticized for its failure to patch a known critical vulnerability in the Apache Struts web development framework, an oversight that led to a massive data breach affecting 143 million people. A new report shows that poor patch management practices are common in enterprise environments and that Equifax is just one of thousands of companies that used a vulnerable Struts version over the past year.

Data obtained by Sonatype, a software supply chain automation vendor, shows that 46,557 organizations downloaded vulnerable versions of Struts or its components over the past 12 months, despite patched versions being available. Furthermore, 3,054 organizations downloaded the exact same vulnerable version of Struts that hackers exploited to break into Equifax’s servers.

Sonatype hosts the main repository for Java components that developers worldwide integrate into their applications. This gives the company direct insight into which versions of these components are downloaded and how often.

Apache Struts is a development framework for Java-based web applications that is particularly popular in enterprise environments. Attackers broke into an Equifax web server in mid-May by exploiting a known vulnerability in Struts for which a patch had been available since March 10.

In previous reports, Sonatype warned that 1 in 22 open-source software components that are downloaded and integrated into production software by companies have known vulnerabilities and that 43 percent of organizations have no procedures in place to track the security of such components.

“Like people who accidentally bring expired milk home from the grocery store, companies that download and deploy known vulnerable open-source components are simply not paying attention,” said Wayne Jackson, CEO of Sonatype. “The Equifax breach highlights the fact that perimeter security alone is not sufficient to protect personal data when hackers can easily exploit applications by targeting known vulnerable software components.”

Iranian Cyberespionage Group Hits Aerospace, Energy Sectors

A cyberespionage group that’s likely tied to the Iranian government is targeting companies from the aerospace and petrochemical industries. While the group has been focused on intelligence-gathering so far, there are signs it has access to data-wiping malware and could decide to launch destructive attacks in the future.

The group is tracked as APT33 and has been operating since at least 2013, according to security firm FireEye. Since last year, FireEye has seen the group target a U.S. organization from the aerospace sector, a business conglomerate from Saudi Arabia with aviation holdings, a company involved in oil refining and a business conglomerate from South Korea and another Saudi organization.

What all of these companies had in common is that they had business interests in Saudi Arabia, a geopolitical rival for Iran. Other Iranian hackers launched destructive attacks against Saudi Arabian companies in the past. For example, an Iranian group used a malware program called Shamoon in 2012 to wipe data from 30,000 computers at Saudi Aramco, Saudi Arabia’s national oil company.

The FireEye researchers believe that APT33 is not the group that used Shamoon in 2012 and, unlike that group, APT33 also targets organizations from outside the Middle East.

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision-making vis à vis Saudi Arabia,” the researchers said in their report.

APT33 uses a malware dropper dubbed DROPSHOT that’s capable of installing additional malicious programs. The second-stage payload that FireEye has seen in the APT33 attacks it investigated is a backdoor program called TURNEDUP. However, researchers have also found DROPSHOP samples in the wild that install a data wiping program dubbed SHAPESHIFT.

“While we have not directly observed APT33 use SHAPESHIFT or otherwise carry out destructive operations, APT33 is the only group that we have observed use the DROPSHOT dropper,” the FireEye researchers said. “It is possible that DROPSHOT may be shared amongst Iran-based threat groups, but we do not have any evidence that this is the case.”

The connection between DROPSHOT and SHAPESHIFT suggests that either APT33 is preparing for destructive operations or that it shares its resources with a group that engages in such attacks.

There are multiple clues that tie APT33 to Iran: Farsi-language artifacts in the malware, a project path in DROPSHOT that leads back to a community manager for an Iranian programming forum, the group’s activity matching regular working hours in Iran, its targets reflecting Iran’s geopolitical interests and more.

Misconfigured Amazon S3 Bucket Exposes Access Keys for Viacom’s IT Operations

Another week, another AWS storage blunder. Security researchers from UpGuard found a publicly accessible storage bucket on Amazon’s Simple Storage Service (S3) that contained backup files for the IT infrastructure of media giant Viacom.

The files included encryption keys, passwords, server schematics, the secret key for the corporation’s AWS account and various other sensitive credentials and data.

“Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims,” the UpGuard researchers said in their report.

Over the past few months, misconfigured Amazon S3 buckets exposed the names and contact information of 2.2 million Dow Jones customers; the names, addresses and personal identification numbers (PINs) of millions of Verizon customers and 9,000 resumés containing the personal details of former military personnel.

“As more and more enterprise data moves to cloud-based environments, organizations must assure that their data is not only protected against proactive external attacks, but also from the carelessness of those charged with basic configuration and other seemingly pedestrian and taken-for-granted functions,” said Jeff Hill, director of product management at Prevalent, a provider of IT vendor risk management services. “In the age of the cloud, enterprises will be well served to adopt an ‘assume nothing; verify everything’ security philosophy.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin