It's time for another #AppSec News Roundup, and start with a topic close to our hearts!

DevOps & Security: Butting Heads for Years but Integration is Happening

Before I get into the survey results, le me get on my soapbox regarding the need to bring infrastructure, particularly security, and DevOps together. Digital transformation requires businesses to move with speed. Speed requires IT agility. IT agility requires app development and infrastructure to be agile and, in most organizations, security is anything but agile.  In fact, security is often left to the very end so companies can build a new app and then have to wait months until the security teams have made their changes and are ready. A better approach is to build security into the application development process.

[Read more…]

The image below shows the number of servers vulnerable to the Heartbleed vulnerability that was reported and fixed in 2014. The bigger problem? All of these are internet connected servers as of July 2017.

In October 2016, Andrey Leonov reported a successful breach of Facebook. Using the ImageTragick vulnerability, he was able to perform command injections and retrieve sufficient information to provide Facebook with proof of exploitation. Facebook patched the issue, and rewarded him. ImageTragick was fixed in May 2016, a full 5 months before the exploit.

On the 24th of September 2015, researchers published a report that showed that the scans for the Shellshock vulnerability were going up. 24th of September 2015 was the second anniversary of it’s disclosure – along with the fixes for the vulnerability.

[Read more…]

The recently observed Trojan, Sathurbot, offers a fascinating insight into the various parts of the malware spreading ecosystem. The bot compromises websites – primarily those running WordPress – and uses this to spread malware to end-users. Once it infects the end-users, it then uses them to hack more websites, and then uses the newly compromised sites to spread more malware, use for attacks, as malware C&C servers or SEO spam.

The entire process starts by compromising a site. Once this site is compromised, it serves torrent files, masquerading as legitimate torrents. These torrents appear well seeded and show up on Bing or Google searches. Users trust these torrents and use them to download the movies or software that the torrents seem to offer. The downloaded files convince the user into running them by masquerading as legitimate software and infect the user's computer. Once the malware has launched, the bot then connects to its C&C servers and uses this to update itself. The C&C server can also push other malware executables to the infected system to perform further tasks.

[Read more…]

This month’s roundup has stories of newly found vulnerabilities – and their immediate impact. One of these vulnerabilities is the Apache Struts 2 vulnerability, that was used almost immediately to hack Canadian government sites. We also see a directory traversal vulnerability in a very unusual location, a number of breaches – some due to improperly secured API’s and two reports – one from Google and the other from IBM – that show that website attacks and data breaches are growing over the last year.

Google Says Number of Hacked Sites Grew by 32% in 2016

The past year was a difficult one for security as the number of hacked sites rose by 32% compared to the previous year, shows Google's State of Website Security Report for 2016. 

Patch Unlikely for Widely Publicized Flaw in Microsoft IIS 6.0

A zero-day vulnerability in Microsoft's IIS 6.0 Web server software remains unfixed even after two Chinese researchers recently posted a proof-of-concept exploit for it, Threatpost reports. Microsoft recommends “that customers upgrade to our latest operating systems and benefit from robust, modern protection.”

Content-Type: Malicious – New Apache Struts2 0-day Under Attack

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution…

StatsCan hacked after government sites made vulnerable: officials

…The problem was identified last Wednesday at around 10:30 p.m., Glowacki said. It was flagged in the frequent communications the government receives from online security partners around the world about potential threats. This time it was through widely used website design software, Apache Struts 2, which was identified as a gateway to potential hackers and needed to be updated, the officials explained…

A Hackable Dishwasher Is Connecting Hospitals to the Internet of S***

…Jens Regel, a security consultant, found a “web server directory traversal” bug in the Miele PG 8528 when he was prodding a network for vulnerabilities during a consulting gig, what's known in the industry as a penetration test or “pentest.” That kind of vulnerability allows an unauthorized attacker to gain access to the file system of the server to which the machine connects to…

How anyone could have used Uber to ride for free!

This post is about an interesting bug on Uber which could have been used to ride for free anywhere in the world. Attackers could have misused this by taking unlimited free rides from their uber account…

McDonalds India is leaking 2.2 million users data

The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which includes name, email address, phone number, home address, accurate home co-ordinates and social profile links…

…An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.

Hackers Breached Department of Labor Job Seekers Portal

Hackers have breached America's Job Link Alliance (AJLA), a job portal offered by the Department of Labor (DOL), and stolen personal details from an undisclosed number of job seekers…

..According to AJLA officials, hackers registered an account on the job portal and then used a vulnerability in the AJLA source code to extract data from other users…

…AJLA said the vulnerability the attacker used was introduced in its codebase in October 2016 but was patched March 14, two days after the initial attack. Investigators didn't find evidence it was exploited in the past…

IBM Security Report: 4 Billion Records Leaked in 2016, 10K New Vulnerabilities

According to IBM's 2017 X-Force Threat Intelligence Index, on top of the 4 billion records that ended up on the Internet last year, there were also 10,000 software vulnerabilities documented, which is the highest single-year number in the 20 years it has published its report…

..Another trend noticed by IBM regards targeted attacks on unstructured data. If in past years data breaches focused on various structured information sets, such as credit card data, passwords, personal health information and so on, 2016 saw a shift. In fact, hundreds of gigabytes of email archives, documents, intellectual property and source code were targeted by criminals and exposed along with all the other data that we've become “accustomed” to…

Barracuda Web Application Firewall

Barracuda Web Application Firewall gives your DevOps and application security teams comprehensive security that is easy to deploy and manage. Physical, virtual, and in the cloud—Barracuda Web Application Firewall eliminates application vulnerabilities and protects your web applications against application DDoS, SQL Injection, Cross-Site Scripting, and other advanced attacks.  Click here to request a free 30-day trial.

Barracuda Cloud Ready initiative

Migrating to the cloud can be a complex process. While the cloud can simplify your IT and make it easier to scale your business, moving sensitive business data to the cloud carries new security risks. In addition, you still need to secure your on-premises infrastructure.

Barracuda’s new “Cloud Ready” initiative is intended to eliminate obstacles and help you move to the cloud faster, more cost-effectively, and with greater confidence. When you purchase an on-premises physical or virtual Barracuda NextGen Firewall or Web Application Firewall, you will receive a 90-day license for the same solution in both Amazon Web Services (AWS) and Microsoft Azure at no extra cost.  Visit our Cloud Ready site here for more information.

Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.