Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software.
The retirements and more details about the company's mega-breach are revealed in a new entry to equifaxsecurity2017.com in which the company describes what it knew, when it knew it, and how it responded.
The update reveals that the the attack hit the company's “U.S. online dispute portal web application” and that the source of its woes was CVE-2017-5638, which “which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.” Equifax acknowledges that bug was disclosed in early March 2017.
The next point on the company's list says “Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
But elsewhere in the statement, Equifax just-about-confesses that those efforts either missed the Struts implementation or failed to patch it properly.
The company “observed suspicious network traffic” on July 29th, “continued to monitor network traffic and observed additional suspicious activity” on the 30th and “took offline the affected web application that day.”
It was only then that “Equifax patched the affected web application before bringing it back online.”
The company says its investigations are ongoing and that it continues to assist the FBI with its probe into the matter.
Sent to us by: Roy W. Nash
Researchers recently found at least 50 apps in the official Google Play market that made charges for fee-based services without the knowledge or permission of users.
The apps were downloaded as many as 4.2 million times. Google quickly removed the apps after the researchers reported them, but within days, apps from the same malicious family were back and infected more than 5,000 devices.
The apps, all from a family of malware that security firm Check Point calls ExpensiveWall, surreptitiously uploaded phone numbers, locations, and unique hardware identifiers to attacker-controlled servers. The apps then used the phone numbers to sign up unwitting users to premium services and to send fraudulent premium text messages, a move that caused users to be billed. Check Point researchers didn't know how much revenue was generated by the apps. Google Play showed the apps had from 1 million to 4.2 million downloads.
ExpensiveWall—named after one of the individual apps called LovelyWall—used a common obfuscation technique known as packing. By compressing or encrypting the executable file before it's uploaded to Play, attackers can hide its maliciousness from Google's malware scanners. A key included in the package then reassembled the executable once the file was safely on the targeted device. Although packing is more than a decade old, Google's failure to catch the apps, even after the first batch was removed, underscores how effective the technique remains.
Even after Google removed the apps from Play, many phones will remain infected until users explicitly uninstall the malicious titles. Google reminds users that a security feature known as Play Protect, previously called Verify Apps, will automatically remove malicious apps from affected phones.
Sent to us by: Roy W. Nash
US big box retailer Best Buy has pulled from its shelves Kaspersky Lab's PC security software amid fears of Kremlin spies using the antivirus tool to snoop on Americans.
Despite there being no concrete evidence to indicate that the security software is a threat, the retail chain is ending its long relationship with Kaspersky, a Best Buy spokesperson confirmed on Friday. As to the reasoning, the store chain just said that it doesn't comment on contracts with specific vendors.
It was a lousy week for Kaspersky. On Monday US Senator Jeanne Shaheen introduced an amendment to the National Defense Authorization Act that would ban Kaspersky software from any federal computer, following on from her earlier ban on the software being used by the Department of Defense.
She said, "Because Kaspersky's servers are in Russia, sensitive United States data is constantly cycled through a hostile country. Under Russian laws and according to Kaspersky Lab's certification by the [Russian security service] FSB, the company is required to assist the spy agency in its operations, and the FSB can assign agency officers to work at the company. Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the FSB to monitor all of a company's data transmissions."
Sent to us by: Robbie Ferguson
Do you use CCleaner on your Windows machines? The official build was laced with malware!
Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.
Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims.
Researchers explained, "For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities."
Apparently, hackers hijacked and hid malware inside versions of Avast's CCleaner application available for download between August 15 and September 12.
Anyone who downloaded the 5.33 version or updated their existing product during this timeframe became infected with a covert backdoor capable of spying on everything they did online.
Sent to us by: Roy W. Nash