Web Application Security News for March 2017

Print Friendly, PDF & Email

This month’s roundup has stories of newly found vulnerabilities – and their immediate impact. One of these vulnerabilities is the Apache Struts 2 vulnerability, that was used almost immediately to hack Canadian government sites. We also see a directory traversal vulnerability in a very unusual location, a number of breaches – some due to improperly secured API’s and two reports – one from Google and the other from IBM – that show that website attacks and data breaches are growing over the last year.

Google Says Number of Hacked Sites Grew by 32% in 2016

The past year was a difficult one for security as the number of hacked sites rose by 32% compared to the previous year, shows Google's State of Website Security Report for 2016. 

Patch Unlikely for Widely Publicized Flaw in Microsoft IIS 6.0

A zero-day vulnerability in Microsoft's IIS 6.0 Web server software remains unfixed even after two Chinese researchers recently posted a proof-of-concept exploit for it, Threatpost reports. Microsoft recommends “that customers upgrade to our latest operating systems and benefit from robust, modern protection.”

Content-Type: Malicious – New Apache Struts2 0-day Under Attack

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution…

StatsCan hacked after government sites made vulnerable: officials

…The problem was identified last Wednesday at around 10:30 p.m., Glowacki said. It was flagged in the frequent communications the government receives from online security partners around the world about potential threats. This time it was through widely used website design software, Apache Struts 2, which was identified as a gateway to potential hackers and needed to be updated, the officials explained…

A Hackable Dishwasher Is Connecting Hospitals to the Internet of S***

…Jens Regel, a security consultant, found a “web server directory traversal” bug in the Miele PG 8528 when he was prodding a network for vulnerabilities during a consulting gig, what's known in the industry as a penetration test or “pentest.” That kind of vulnerability allows an unauthorized attacker to gain access to the file system of the server to which the machine connects to…

How anyone could have used Uber to ride for free!

This post is about an interesting bug on Uber which could have been used to ride for free anywhere in the world. Attackers could have misused this by taking unlimited free rides from their uber account…

McDonalds India is leaking 2.2 million users data

The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which includes name, email address, phone number, home address, accurate home co-ordinates and social profile links…

…An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.

Hackers Breached Department of Labor Job Seekers Portal

Hackers have breached America's Job Link Alliance (AJLA), a job portal offered by the Department of Labor (DOL), and stolen personal details from an undisclosed number of job seekers…

..According to AJLA officials, hackers registered an account on the job portal and then used a vulnerability in the AJLA source code to extract data from other users…

…AJLA said the vulnerability the attacker used was introduced in its codebase in October 2016 but was patched March 14, two days after the initial attack. Investigators didn't find evidence it was exploited in the past…

IBM Security Report: 4 Billion Records Leaked in 2016, 10K New Vulnerabilities

According to IBM's 2017 X-Force Threat Intelligence Index, on top of the 4 billion records that ended up on the Internet last year, there were also 10,000 software vulnerabilities documented, which is the highest single-year number in the 20 years it has published its report…

..Another trend noticed by IBM regards targeted attacks on unstructured data. If in past years data breaches focused on various structured information sets, such as credit card data, passwords, personal health information and so on, 2016 saw a shift. In fact, hundreds of gigabytes of email archives, documents, intellectual property and source code were targeted by criminals and exposed along with all the other data that we've become “accustomed” to…

Barracuda Web Application Firewall

Barracuda Web Application Firewall gives your DevOps and application security teams comprehensive security that is easy to deploy and manage. Physical, virtual, and in the cloud—Barracuda Web Application Firewall eliminates application vulnerabilities and protects your web applications against application DDoS, SQL Injection, Cross-Site Scripting, and other advanced attacks.  Click here to request a free 30-day trial.

Barracuda Cloud Ready initiative

Migrating to the cloud can be a complex process. While the cloud can simplify your IT and make it easier to scale your business, moving sensitive business data to the cloud carries new security risks. In addition, you still need to secure your on-premises infrastructure.

Barracuda’s new “Cloud Ready” initiative is intended to eliminate obstacles and help you move to the cloud faster, more cost-effectively, and with greater confidence. When you purchase an on-premises physical or virtual Barracuda NextGen Firewall or Web Application Firewall, you will receive a 90-day license for the same solution in both Amazon Web Services (AWS) and Microsoft Azure at no extra cost.  Visit our Cloud Ready site here for more information.


Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.

 

Scroll to top
Tweet
Share
Share