Hello, welcome to the Tuesday, November 6, 2018 edition of the Sansonet Storms and its Stormcast.

My name is Johannes Ulrich and I am recording from Jacksonville, Florida.

Apache today released an interesting advisory for Struts 2.3.

The problem here is that this version of Struts uses an outdated version of the

Commons File Upload library. This component has been known to be vulnerable to a remote code

execution vulnerability for about two years, but Struts 2.3 was still distributed with the outdated version of

this component, making it vulnerable to this vulnerability. If you included it and if you

actually took advantage of it using the standard struts to file upload mechanism.

The vulnerable version is 1.3.2.

The fixed version is 1.3.3.

You just have to replace that particular jar file if you are still using the outdated version.

And you can find links to advisories as well as to

the updated version of Commons file upload in our diary.

And unknown perpetrators used a number of high profile and verified stolen Twitter accounts in order to steal a good

number of Bitcoins. Last time I checked, they had about 30 Bitcoins stolen. And the way it all

worked is that these compromised accounts were advertising a tweet by Ellen Musk or claiming to come

from Alan Musk that Alan Musk would give away free Bitcoin. All you had to do is you had to

verify your Bitcoin address by sending a smaller amount of Bitcoin to that address.

Usually they're asking for about 0.4 to 0.6 bitcoins, which is still a few thousand dollars.

And then in return, you're supposed to get at least twice,

but possibly 10 times or more the amount that you send in.

Now, in order to support this scam, the perpetrators here went through quite a bit of trouble.

...