After scrambling to patch Vulnerability-related.PatchVulnerability a critical vulnerability late last month , Drupal is at it again . The open source content management project has issued Vulnerability-related.PatchVulnerability an unscheduled security update to augment its previous patch for Drupalgeddon2 . There was also a cross-site scripting bug advisory in mid-April . The latest Drupal core vulnerability , designated Vulnerability-related.DiscoverVulnerability , SA-CORE-2018-004 and assigned Vulnerability-related.DiscoverVulnerability CVE-2018-7602 , is related to the March SA-CORE-2018-002 flaw ( CVE-2018-7600 ) , according to the Drupal security team . It can be exploited Vulnerability-related.DiscoverVulnerability to take over a website 's server , and allow miscreants to steal information or alter pages . `` It is a remote code execution vulnerability , '' explained a member of the Drupal security team in an email to The Register . `` No more technical details beyond that are available . '' The vulnerability affects Vulnerability-related.DiscoverVulnerability at least Drupal 7.x and Drupal 8.x . And a similar issue has been found Vulnerability-related.DiscoverVulnerability in the Drupal Media module . In a blog post from earlier this month about the March patch , Dries Buytaert , founder of the Drupal project , observed Vulnerability-related.DiscoverVulnerability that all software has security issues and critical security bugs are rare . While the March bug is being actively exploited Vulnerability-related.DiscoverVulnerability , the Drupal security team says it 's unaware of any exploitation of the latest vulnerability . But it wo n't be long – those maintaining the project observed automated attacks appearing about two weeks after the SA-CORE-2018-002 notice . The fix is to upgrade Vulnerability-related.PatchVulnerability to the most recent version of Drupal 7 or 8 core . The latest code can be found at Drupal 's website . For those running 7.x , that means upgrading to Drupal 7.59 . For those running , 8.5.x , the latest version if 8.5.3 . And for those still on 8.4.x , there 's an upgrade to 8.4.8 , despite the fact that as an unsupported minor release , the 8.4.x line would not normally get Vulnerability-related.PatchVulnerability security updates . And finally , if you 're still on Drupal 6 , which is no longer officially supported , unofficial patches are being developed Vulnerability-related.PatchVulnerability here . Drupal users appear to be taking the release in stride , though with a bit of grumbling . `` Drupal Wednesday looks like the new Windows patch day , '' quipped designer Tom Binroth via Twitter . `` I would rather spend my time on creating new stuff than patching Vulnerability-related.PatchVulnerability Drupal core sites . ''

Netskope Threat Research Labs has discovered Vulnerability-related.DiscoverVulnerability that the latest Microsoft Office zero-day vulnerability is linked to the Godzilla botnet loader discussed in our recent blog . During our research , we observed Vulnerability-related.DiscoverVulnerability the IPs related to the Godzilla Botnet loader serving payloads associated with exploits for the latest zero-day vulnerability in Microsoft Office . Microsoft has said Vulnerability-related.DiscoverVulnerability that the vulnerability will be patched Vulnerability-related.PatchVulnerability today . Netskope Threat Protection detects Vulnerability-related.DiscoverVulnerability the known exploits for this new vulnerability as Backdoor.Explot.ANWK . The payload for the exploit are detected Vulnerability-related.DiscoverVulnerability as Backdoor.Generckd.4818242 and Backdoor.Generckd.4818381 . This vulnerability allows a malicious actor to execute a Visual Basic script , when the victim opens a document containing an embedded exploit . An excerpt of the VBScript code embedded in the document is shown in Figure 1 . Figure 1 : VBScript code in the malicious document We observed Vulnerability-related.DiscoverVulnerability the domains btt5sxcx90.com , hyoeyeep.ws and rottastics36w.net also serving payloads associated with the latest Microsoft Office zero-day exploit . At this moment we can not speculate that the spam campaign and zero-day are related . However , based on current observations , we believe that the same attack group is behind these attacks . Netskope recommends users to block all the IPs and domains mentioned in Figure 8 of our previous blog . Additionally , we suggest users ensure that Office Protected View is enabled to prevent exposure to this attack .

Netskope Threat Research Labs has discovered Vulnerability-related.DiscoverVulnerability that the latest Microsoft Office zero-day vulnerability is linked to the Godzilla botnet loader discussed in our recent blog . During our research , we observed Vulnerability-related.DiscoverVulnerability the IPs related to the Godzilla Botnet loader serving payloads associated with exploits for the latest zero-day vulnerability in Microsoft Office . Microsoft has said Vulnerability-related.DiscoverVulnerability that the vulnerability will be patched Vulnerability-related.PatchVulnerability today . Netskope Threat Protection detects Vulnerability-related.DiscoverVulnerability the known exploits for this new vulnerability as Backdoor.Explot.ANWK . The payload for the exploit are detected Vulnerability-related.DiscoverVulnerability as Backdoor.Generckd.4818242 and Backdoor.Generckd.4818381 . This vulnerability allows a malicious actor to execute a Visual Basic script , when the victim opens a document containing an embedded exploit . An excerpt of the VBScript code embedded in the document is shown in Figure 1 . Figure 1 : VBScript code in the malicious document We observed Vulnerability-related.DiscoverVulnerability the domains btt5sxcx90.com , hyoeyeep.ws and rottastics36w.net also serving payloads associated with the latest Microsoft Office zero-day exploit . At this moment we can not speculate that the spam campaign and zero-day are related . However , based on current observations , we believe that the same attack group is behind these attacks . Netskope recommends users to block all the IPs and domains mentioned in Figure 8 of our previous blog . Additionally , we suggest users ensure that Office Protected View is enabled to prevent exposure to this attack .

Researchers from Fidelis Cybersecurity have unearthed Vulnerability-related.DiscoverVulnerability an “ interesting security issue ” involving the popular messaging app Telegram . One of the appeals of Telegram is that it has encryption options for Android and iOS , whereby it uses your contact list to prepopulate contacts inside the app . Also , when someone in your contact list signs up for Telegram , you receive a notification so you know you can contact them using the app . However , John Bambenek , threat systems manager , Fidelis Cybersecurity , revealed Vulnerability-related.DiscoverVulnerability that the combination of these features has allowed the firm to uncover Vulnerability-related.DiscoverVulnerability a big privacy problem . “ If a scammer signs up for Telegram and already has your phone number in their contact list , it will also notify them that you have also Telegram , ” he said . “ So in addition to connecting you to your friends and contacts , the app will also connect scammers directly to you . Likewise , if you have scammers ' numbers in your contact list for some reason , you will get push notifications when they join Telegram. ” What ’ s more , Bambenek explained Vulnerability-related.DiscoverVulnerability that this issue didn ’ t occur just once or twice , and on multiple occasions Fidelis observed Vulnerability-related.DiscoverVulnerability phone numbers associated with telemarketing scammers signed up to use Telegram . “ To complicate matters , we found no obvious way to prevent people from finding out if you are a Telegram user , ” he added . Further , Bambenek warned that it would not be difficult to come up with a way to find out if a phone number uses Telegram ( or many of the other popular mobile messaging/voice applications , for that matter ) , highlighting the following as uses for this insight by third parties : Intelligence agencies consider the use of such services as a `` risk factor '' when deciding on surveillance targets . Border control officials could detect the use of such services during border crossing interviews , and conclude that the user has something to hide . Criminals could use the knowledge that a user is on such a service to target them . “ Encrypted messaging and voice applications create a new surface area for attacks to unfold and should not be entirely trusted , ” Bambenek continued . “ While these apps may be a great benefit to privacy , they shouldn ’ t be trusted any more than unencrypted calls . These systems do protect against spoofing , but if you have unknown callers on such applications , due caution is still required. ” However , Chris Boyd , lead malware analyst at Malwarebytes , was quick to point out that all VoiP and regular chat apps have the ability for strangers to add you to their contact list , depending on security settings , adding : “ Whether people add themselves to your Telegram , Skype or even plain old Instant Messaging services , the same ground rules apply : try to ensure that they are who they say they are before revealing too much information . If in doubt , contact your associate directly using another service – just like you would if sent a ‘ stranded with no money in a foreign land ’ message on Facebook , ” he told Infosecurity .

Apache Struts is a free and open-source framework used to build Java web applications . We looked into past several Remote Code Execution ( RCE ) vulnerabilities reported Vulnerability-related.DiscoverVulnerability in Apache Struts , and observed Vulnerability-related.DiscoverVulnerability that in most of them , attackers have used Object Graph Navigation Language ( OGNL ) expressions . The use of OGNL makes it easy to execute arbitrary code remotely because Apache Struts uses it for most of its processes . Using OGNL , a researcher found Vulnerability-related.DiscoverVulnerability a new remote code execution vulnerability in Apache Struts 2 , designated as Vulnerability-related.DiscoverVulnerability CVE-2017-5638 . An exploit has been reported Vulnerability-related.DiscoverVulnerability to be already in the wild .

Cisco 's Talos says they 've observed Vulnerability-related.DiscoverVulnerability active attacks against a Zero-Day vulnerability in Apache 's Struts , a popular Java application framework . Cisco started investigating Vulnerability-related.DiscoverVulnerability the vulnerability shortly after it was disclosed Vulnerability-related.DiscoverVulnerability , and found Vulnerability-related.DiscoverVulnerability a number of active attacks . In an advisory issued on Monday , Apache says Vulnerability-related.DiscoverVulnerability the problem with Struts exists within the Jakarta Multipart parser . `` It is possible to perform a RCE attack with a malicious Content-Type value . If the Content-Type value is n't valid an exception is thrown which is then used to display an error message to a user , '' the warning explained . `` If you are using Jakarta based file upload Multipart parser , upgrade Vulnerability-related.PatchVulnerability to Apache Struts version 2.3.32 or 2.5.10.1 . You can also switch to a different implementation of the Multipart parser . '' The alternative is the Pell parser plugin , which uses Jason Pell 's multipart parser instead of the Common-FileUpload library , Apache explains . In addition , administrators concerned about the issue could just apply the proper updates , which are currently available Vulnerability-related.PatchVulnerability . In a blog post , Cisco said they discovered a number of attacks that seem to be leveraging a publicly released proof-of-concept to run various commands . Such commands include simple ones ( 'whoami ' ) as well as more sophisticated ones , including pulling down malicious ELF executable and running it . An example of one attack , which attempts to copy the file to a harmless directory , ensure the executable runs , and that the firewall is disabled is boot-up , is below : Both Cisco and Apache urge administrators to take action , either by patching Vulnerability-related.PatchVulnerability or ensuring their systems are not vulnerable . This is n't the first time the Struts platform has come under attack . In 2013 , Chinese hackers were using an automated tool to exploit known vulnerabilities in order to install a backdoor .