The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems.
“While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types,” Symantec said in a Read More
Related Posts
House Will Try Again on Reauthorization of US Spy Program After Republican Upheaval
House Will Try Again on Reauthorization of US Spy Program After Republican Upheaval
[[{“value”:”
Speaker Mike Johnson is expected to bring forward a Plan B that would reform and extend Section 702 of the Foreign Intelligence Surveillance Act for a shortened period of two years.
The post House Will Try Again on Reauthorization of US Spy Program After Republican Upheaval appeared first on SecurityWeek.
“}]] Read More
SecurityWeek RSS Feed
![Recently-patched Apache Struts vulnerability used in worldwide attacks](https://www.malwarebytes.com/wp-content/uploads/sites/2/2023/12/Akamai_tweet.png)
Recently-patched Apache Struts vulnerability used in worldwide attacks
Recently-patched Apache Struts vulnerability used in worldwide attacks
Attackers are exploiting a critical vulnerability in Apache Struts 2 that was patched recently. Struts is a very popular open source platform to develop applications and websites.
On December 7, 2023, Apache announced versions 6.3.0.2 and 2.5.33 of Struts were now available to address a potential security vulnerability listed as CVE-2023-50164.
The vulnerability affects Apache Struts versions:
2.0.0 through 2.5.32
6.0.0 through 6.3.0.1
2.0.0 through 2.3.37 (EOL, no longer supported)
The vulnerability that has a CVSS score of 9.8 out of 10, lies in the frameworks’ file upload functionality and can be exploited to achieve remote code execution (RCE). There is an easy to follow proof-of-concept (PoC) available, which makes it easier for cybercriminals to exploit the vulnerability.
Basically it’s a path traversal flaw that allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. The flaw is caused by parameter confusion, where an attacker can first capitalize a parameter in the request and then submit an additional parameter (in lowercase) that overrides an internal file name variable. That allows an attacker to bypass the built-in check and leave the path traversal payload in the final filename.
This allows a successful attacker to plant a web shell, a malicious script used by an attacker that allows them to escalate and maintain persistent access. In this case, the attacker gets the ability to write a server-side rendered file, such as a JSP (Jakarta Server Pages) file, into a target directory. The JSP payload is executed as soon as the attacker requests the file from the server and the server is compromised. Several international organizations like the Australian Cyber Security Centre (ACSC), the French Computer Emergency Response Team (CERT-FR), and content delivery giant Akamai are warning that they are seeing active exploitation.
Tweet by Akamai
Because of the relative ease-of-use, we can expect to see a lot more of these attacks.
Update now
Users and administrators are encouraged to review the Apache Security Bulletin and upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater. There are no workarounds.
According to Apache this is a drop-in replacement and upgrade should be straightforward. The new versions can be found on the Struts download page.
Besides updating, additional measures may include:
Sanitization checks on uploaded file data.
Limit server application permissions to allowed directories.
Track which applications in use within your environments are using Struts frameworks.
On internet facing Java systems monitor for newly created files outside directories where they are expected.
Continue to monitor the situation and respond to new information as it comes to light.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.
Malwarebytes
Github Paid $4,000,000 In Rewards For Bug Bounty Program
Github Paid $4,000,000 In Rewards For Bug Bounty Program
GitHub, the world’s leading software development platform, is celebrating a milestone: the 10th anniversary of its Security Bug Bounty program.
Over the past decade, the program has not only enhanced the security of GitHub’s services but also rewarded security researchers with a staggering $4 million in total payouts.
A Decade of Milestones
Launched in 2014, the GitHub Security Bug Bounty program was designed to engage with security researchers to identify and report vulnerabilities through a responsible disclosure process.
The program’s primary goal has always been to improve the security of GitHub’s services while recognizing the efforts of researchers with monetary rewards.
2014: The program began focusing on a subset of GitHub’s products and services.
GitHub emphasized the importance of user trust and the need for additional eyes to track down elusive vulnerabilities.
2016: After two years of using a homegrown email-based system, GitHub transitioned to HackerOne, a leading bug bounty platform, to streamline the process.
2017: GitHub boosted payouts and participated in the Hack the World event, offering double reputation points on HackerOne for bugs found on GitHub.
2018: The introduction of the Legal Safe Harbor policy provided better protection for researchers, removing potential legal barriers and encouraging more participation.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot.
2019: The program saw a 40% increase in submissions and expanded its scope to include more products, such as GitHub Actions and GitHub Mobile.
2020: GitHub’s program was ranked in HackerOne’s top ten bounty programs based on cumulative bounties awarded, time to bounty, and the number of resolved vulnerability reports.
2021: GitHub matched over $64,000 in donations from researchers, supporting charities such as Cancer Research UK and the Greater Pittsburgh Community Food Bank.
2022: The launch of the GitHub Bug Bounty swag store allowed researchers to earn merchandise like T-shirts, water bottles, and monetary rewards.
2023: GitHub paid out its highest single reward to date, $75,000, and surpassed $4 million in total rewards.
The 2023 Year in Review
In 2023, GitHub focused on increasing transparency, growing its public and private programs, and expanding its community presence.
Increasing Transparency:
GitHub worked on understanding common feedback themes and implemented changes to ensure clear and detailed responses to researchers.
Introducing limited disclosure of reports on HackerOne was a significant step towards transparency.
Growing Programs:
GitHub ran several private bounty engagements with its VIP program members, known as Hacktocats.
These engagements included testing new features like PATs v2 via GraphQL and GitHub Copilot Chat.
The public program also saw steady growth, with new products and features regularly added to the scope.
Highest Award Value
Total Paid per year
Community Presence:
GitHub’s bounty team attended conferences across the United States, Canada, and Argentina, presenting on relevant topics and hosting meetups.
Notable presentations included “Life of a Bug” at Bsides SF and “Building a Great Bounty Program” at DEFCON.
GitHub also partnered with Capital One and HackerOne to create Glass Firewall, a conference aimed at increasing the representation of women in security.
As GitHub celebrates this milestone, the company remains committed to improving the security of its services and supporting the research community.
With plans to further enhance transparency, grow its programs, and expand community engagement, GitHub’s Bug Bounty program is poised for continued success in future years.
GitHub’s dedication to security and collaborative approach with the research community has set a high standard in the industry.
As the program enters its second decade, the future looks promising for both GitHub and the global community of security researchers.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
The post Github Paid $4,000,000 In Rewards For Bug Bounty Program appeared first on Cyber Security News.