Another critical security hole has been found Vulnerability-related.DiscoverVulnerability in Apache Struts 2 , requiring an immediate update . The vulnerability – CVE-2018-11776 – affects Vulnerability-related.DiscoverVulnerability core code and allows miscreants to pull off remote code execution against vulnerable servers and websites . It affects Vulnerability-related.DiscoverVulnerability all versions of Struts 2 , the popular open-source framework for Java web apps . The Apache Software Foundation has `` urgently advised '' anyone using Struts to update Vulnerability-related.PatchVulnerability to the latest version immediately , noting that the last time a critical hole was found Vulnerability-related.DiscoverVulnerability , the holes were being exploited Vulnerability-related.DiscoverVulnerability in the wild just a day later . In other words , if you delay in patching Vulnerability-related.PatchVulnerability , your organization will be compromised in short order via this bug , if you are running vulnerable systems . It was that earlier flaw that led to a nightmare data breach Attack.Databreach from credit company Equifax after it failed to patch Vulnerability-related.PatchVulnerability swiftly enough . The details of nearly 150 million people were exposed Attack.Databreach , costing the company more than $ 600m , so this is not something to be taken lightly . The company that discovered Vulnerability-related.DiscoverVulnerability the vulnerability – Semmle Security Research Team – warns that this latest one is actually worse that the one last year , which it also found Vulnerability-related.DiscoverVulnerability . It has published a blog post with more information . Semmle found Vulnerability-related.DiscoverVulnerability the hole back in April and reported Vulnerability-related.DiscoverVulnerability it to Apache , which put out Vulnerability-related.PatchVulnerability a patch in June that it has now pulled Vulnerability-related.PatchVulnerability into formal updates ( 2.3.35 for those using version 2.3 and 2.5.17 for those on 2.5 ) . As mentioned , the vulnerability is in the core code and does n't require additional plugins to work . It is caused by insufficient validation of untrusted user data in the core of the Struts framework , and can be exploited in several different ways . Semmle says it has identified two different vectors but warns there may be others . Since it can be used remotely and due to the fact that Struts is typically used to create applications that are on the public internet , hackers are going to be especially focused on exploiting it so they can gain access to corporate networks . And there are some big targets out there : Apache Struts is extremely common with most large corporations using it somewhere in their systems for web apps . Semmle 's VP of engineering , Pavel Avgustinov , had this to say about the hole on Wednesday this week : `` Critical remote code execution vulnerabilities like the one that affected Vulnerability-related.DiscoverVulnerability Equifax and the one we announced today are incredibly dangerous for several reasons : Struts is used for publicly-accessible customer-facing websites , vulnerable systems are easily identified , and the flaw is easy to exploit Vulnerability-related.DiscoverVulnerability . A hacker can find their way in within minutes , and exfiltrate Attack.Databreach data or stage further attacks from the compromised system . It ’ s crucially important to update affected systems immediately ; to wait is to take an irresponsible risk . '' This is very far from the first time that big security holes have been found Vulnerability-related.DiscoverVulnerability in Struts , leading some to recommend that people simply stop using it .

The Bitcoin Core team yesterday released Vulnerability-related.PatchVulnerability a patch for a DDoS vulnerability that could prove fatal to the Bitcoin network . The patch note urged miners to shut down their older versions urgently and replace Vulnerability-related.PatchVulnerability them with the new version , Bitcoin Core 0.16.3 . The announcement , first reported on Hacked , revealed Vulnerability-related.DiscoverVulnerability that all the recent Bitcoin Core versions could be vulnerable Vulnerability-related.DiscoverVulnerability to Distributed Denial-of-Service attack . An attack of such kind typically involves multiple compromised systems to flood a single system ( or network ) – similar to zombies encircling an uninfected person and disabling his movements . DDoS perpetrators could attack a Bitcoin network by either flooding the block with duplicate transactions , thus jamming the transaction confirmation of other people , or by flooding the nodes on Bitcoin ’ s peer-to-peer network , thus over-utilizing the bandwidth through malicious transaction relays . The recent DDoS vulnerability , termed as Vulnerability-related.DiscoverVulnerability CVE-2018-17144 , tried to attempt the latter – flooding full node operators with traffic . Hacked reports : “ The way the potential exploit could work was by allowing anyone who was capable of mining a sufficient number of proof of work blocks to crash Bitcoin Cores running software versions 0.14.0 to 0.16.2. ” It also means that the miners who occasionally run Bitcoin Core were not vulnerable Vulnerability-related.DiscoverVulnerability to the attack . Still , developers recommended Vulnerability-related.PatchVulnerability all the miners to go ahead with the latest update to stay safe . Also , the patch fixed Vulnerability-related.PatchVulnerability some other minor bugs related to consensus , RPC , invalid flag errors , and documentation . It is worth noticing that Bitcoin is not the only cryptocurrency that is on the DDoS attackers ’ hitlist . Flaws have been found Vulnerability-related.DiscoverVulnerability in other cryptocurrency clients as well , including Bitcoin Cash and Ethereum . An effective attack on the Ethereum network lasted more than a month and created million of dead accounts . In response , developers had to go through two on-chain forks and one off-chain process to clean up the mess . In another DDoS attack that slowed down the Ethereum network , miners had to increase gas fees to repel the attackers . There was no consensus failure . DDoS continues to be a global problem that impacts all spheres of the internet . Europol in its latest investigative report noted : “ Criminals continue to use Distributed-Denial-of-Service ( DDoS ) attacks as a tool against private business and the public sector . Such attacks are used not only for financial gains but the ideological , political or purely malicious reason . This type of attack is not only one of the most frequent ( second only to malware in 2017 ) ; it is also becoming more accessible , low-cost and low-risk. ” Meanwhile , decentralized networks like Bitcoin are still more secure against such attacks purely because single entities would not be able to bring them down . Also , because the people , including the attackers themselves , are heavily invested in Bitcoin , a coordinated attack would just rip them off their bitcoin validation commissions .

A generic wireless camera manufactured by a Chinese company and sold around the world under different names and brands can be easily hijacked and/or roped into a botnet . The flaw that allows this to happen is found Vulnerability-related.DiscoverVulnerability in a custom version of GoAhead , a lightweight embedded web server that has been fitted into the devices . This and other vulnerabilities have been found Vulnerability-related.DiscoverVulnerability by security researcher Pierre Kim , who tested one of the branded cameras – the Wireless IP Camera ( P2P ) WIFICAM . The extensive list of devices affected by Vulnerability-related.DiscoverVulnerability the flaw in the custom embedded web server can be found Vulnerability-related.DiscoverVulnerability here , and includes 1250+ camera models from over 300 vendors , including D-Link , Foscam , Logitech , Netcam , and Polaroid . “ This vulnerability allows an attacker to steal credentials , ftp accounts and smtp accounts ( email ) , ” Kim noted Vulnerability-related.DiscoverVulnerability . He also shared Vulnerability-related.DiscoverVulnerability a PoC exploit that leverages the flaw to allow an attacker to achieve root shell on the device . Other vulnerabilities present Vulnerability-related.DiscoverVulnerability include a RTSP server running on the camera ’ s TCP 10554 port , which can be accessed without authentication , allowing attackers to watch what the camera streams . There is also a “ cloud ” functionality that is on by default , through which the camera can be managed via a mobile Android app . The connection between the two is established through UDP , and will be automatically established to any app that “ asks ” if a particular camera is online . Effectively , the attacker just needs to know the serial number of the device . The established UDP tunnel can also be used by the attacker to dump the camera ’ s configuration file in cleartext , or to bruteforce credentials . “ The UDP tunnel between the attacker and the camera is established even if the attacker doesn ’ t know the credentials , ” Kim noted . “ It ’ s useful to note the tunnel bypasses NAT and firewall , allowing the attacker to reach internal cameras ( if they are connected to the Internet ) and to bruteforce credentials . Then , the attacker can just try to bruteforce credentials of the camera ” . Kim advises owners of these devices to disconnect them from the Internet . A simple search with Shodan revealed Vulnerability-related.DiscoverVulnerability that there are 185,000+ vulnerable cameras out there , ready to be hijacked . The vulnerabilities are not in GoAhead , but the custom version of the web server developed by the Chinese OEM vendor , so EmbedThis – the company that develops GoAhead – can do nothing to fix Vulnerability-related.PatchVulnerability this . Interestingly enough , SecuriTeam revealed Vulnerability-related.DiscoverVulnerability today the existence of an arbitrary file content disclosure Vulnerability-related.DiscoverVulnerability vulnerability affecting Vulnerability-related.DiscoverVulnerability older versions of the GoAhead web server . Discovered Vulnerability-related.DiscoverVulnerability by independent security researcher Istvan Toth , the vulnerability can be triggered by sending a malformed request to the web server , and it will disclose device credentials to the attacker in clear text . “ The GoAhead web server is present on multiple embedded devices , from IP cameras to printers and other embedded devices , ” SecuriTeam explained , and urged owners to remove the device from the network , “ or at the very least not allow access to the web interface to anyone beside a very strict IP address range ”