1. 17

This confirms that CVE-2017-5638, announced and patched in March, was the vector for the attack (which began in May).


  2. [Comment removed by author]

    1. 1

      It would be interesting to learn whether the struts application was intended to have access to this scope of information in the leak, or if it was only a vector into which other layers of security were circumvented.

    2. 1

      Yet another months-old hole being used to break in.

      How come insurance companies haven’t gotten around to enforce basic internet security on all these megacorps?

      1. 1

        The megacorps haven’t felt the need to buy insurance against events like this; it’s easier for the insurers to exclude these events from policies.