Three big fakes & two big flaws | Avast

Security flaws haunt Ghostscript

For the third year in a row, researchers have found exploitable flaws in the open source software Ghostscript, a PDF and PostScript interpreter used by hundreds of programs on all major platforms. While the software includes a sandbox protection option, researchers have now identified a series of sandbox bypass vulnerabilities. For a bad actor to take advantage of the flaw, he or she would only need to send their victim a specially modified file in a format that triggers interaction with Ghostscript (PDF, PS, EPS, or XPS). Doing so would grant the malware’s C&C remote code execution privileges on the infected system, thereby allowing them to essentially take it over. No patch is available yet, so experts are advising that Linux distributions disable PS, EPS, PDF, and XPS coders in ImageMagick’s policy.xml, as the image processing library seems to be the most affected project by the flaw.

Microsoft declaws Fancy Bear

Microsoft Digital Crimes Unit was given permission by the US court system to seize six domains posing at politically influential websites. Microsoft claims the sites were associated with a hacking group known as APT28, which also goes under the names Strontium and Fancy Bear. It is the same group accused of using hacking and phishing tactics to affect the outcome of the 2016 US presidential election. The same operation seemed to be afoot among the seized sites. Each was a phony version of legitimate conservative-leaning websites such as The Hudson Institute and the International Republican Institute, leading many to believe high-level politicians were being targeted. The domains shut down were:

• My-iri.org
• Hudsonorg-my-sharepoint.com
• Senate.group
• Adfs-senate.services
• Adfs-senate.email
• Office365-onedrive.com

Facebook wipes hundreds of phony accounts

Facebook, Twitter, and Alphabet collectively booted a substantial amount of phony accounts that the social giants believe were part of two different propaganda campaigns, one originating from Iran and the other from Russia. The Iran-based accounts created a network of fake news and phony personas with “anti-Saudi, anti-Israeli, pro-Palestinian themes,” according to cybersecurity experts. The Russia-based accounts were using social engineering and phishing tactics to steal login credentials from US political players. Both Tehran and the Kremlin deny their countries had anything to do with the campaigns. Twitter removed 284 accounts, while Facebook took down 392 accounts and 254 pages.

Phishing for DNC accounts

Earlier this week, cybersecurity researchers uncovered a phishing attempt to steal DNC login credentials when their AI-based scanning tool discovered a phony website designed to look like NGP VAN, a DNC tech provider. The fake login page would have captured members’ passwords the hackers could then use to gain access to the Democratic voter database. With US midterm elections coming up later this year, it’s no surprise to see more cyberattacks like the infamous 2016 campaign. Avast Threat Intelligence Director Michal Salat believes we can expect to see many more attacks like this before election season is over. “And these attacks will primarily use social engineering techniques to find their way into networks. I would also expect them to try to utilize breached accounts and passwords.”

Apache Struts flaw gives up your server

Researchers revealed a newly discovered flaw earlier this week in the popular web app open source framework Apache Struts. It was a similar flaw in Apache Struts that caused the Equifax breach last year that affected 143 million users’ data. Companies such as Lockheed, Vodafone, and IRS use Apache Struts and could be vulnerable if they have not yet patched the flaw, which allows remote code execution (RCE). Websites that have updated to Struts versions 2.3.35 or 2.5.17 no longer have the vulnerability. All users of the framework are encouraged to update their software.

---

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today’s cyberthreats and how to beat them at blog.avast.com.