Security News

Two big fakes & two big flaws

Avast Security News Team, 24 August 2018

Phony profiles and websites are rampant in election season, and security flaws were found in Ghostscript and Apache Struts.

Updated:  The DNC cyberattack was deemed to be a simulated test by an unknown third party.  This has been removed from our security roundup for the week.

Security flaws haunt Ghostscript

For the third year in a row, researchers have found exploitable flaws in the open source software Ghostscript, a PDF and PostScript interpreter used by hundreds of programs on all major platforms. While the software includes a sandbox protection option, researchers have now identified a series of sandbox bypass vulnerabilities. For a bad actor to take advantage of the flaw, he or she would only need to send their victim a specially modified file in a format that triggers interaction with Ghostscript (PDF, PS, EPS, or XPS). Doing so would grant the malware’s C&C remote code execution privileges on the infected system, thereby allowing them to essentially take it over. No patch is available yet, so experts are advising that Linux distributions disable PS, EPS, PDF, and XPS coders in ImageMagick’s policy.xml, as the image processing library seems to be the most affected project by the flaw.

Microsoft declaws Fancy Bear

Microsoft Digital Crimes Unit was given permission by the US court system to seize six domains posing at politically influential websites. Microsoft claims the sites were associated with a hacking group known as APT28, which also goes under the names Strontium and Fancy Bear. It is the same group accused of using hacking and phishing tactics to affect the outcome of the 2016 US presidential election. The same operation seemed to be afoot among the seized sites. Each was a phony version of legitimate conservative-leaning websites such as The Hudson Institute and the International Republican Institute, leading many to believe high-level politicians were being targeted. The domains shut down were:

  • My-iri.org
  • Hudsonorg-my-sharepoint.com
  • Senate.group
  • Adfs-senate.services
  • Adfs-senate.email
  • Office365-onedrive.com

Facebook wipes hundreds of phony accounts

Facebook, Twitter, and Alphabet collectively booted a substantial amount of phony accounts that the social giants believe were part of two different propaganda campaigns, one originating from Iran and the other from Russia. The Iran-based accounts created a network of fake news and phony personas with “anti-Saudi, anti-Israeli, pro-Palestinian themes,” according to cybersecurity experts. The Russia-based accounts were using social engineering and phishing tactics to steal login credentials from US political players. Both Tehran and the Kremlin deny their countries had anything to do with the campaigns. Twitter removed 284 accounts, while Facebook took down 392 accounts and 254 pages.

Apache Struts flaw gives up your server

Researchers revealed a newly discovered flaw earlier this week in the popular web app open source framework Apache Struts. It was a similar flaw in Apache Struts that caused the Equifax breach last year that affected 143 million users’ data. Companies such as Lockheed, Vodafone, and IRS use Apache Struts and could be vulnerable if they have not yet patched the flaw, which allows remote code execution (RCE). Websites that have updated to Struts versions 2.3.35 or 2.5.17 no longer have the vulnerability. All users of the framework are encouraged to update their software.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.