After last week a security researcher revealed a vulnerability in Apache Struts, a piece of very popular enterprise software, active exploitation attempts have started this week.
The vulnerability in question is tracked as CVE-2018-11776, a remote code execution flaw that allows an attacker to gain control over Struts-based web applications.
The vulnerability is not exploitable in default Struts configurations, according to an analysis by Palo Alto Networks, but the flaw is of interest to everyone, mainly because Struts is used by some of the world's largest companies (including Equifax, which suffered a major data breach last year because of a Struts flaw).
Multiple PoCs released last week
Over the course of last week, several security researchers have put together different proof-of-concept (PoC) scripts for CVE-2018-11776 [1, 2, 3, 4], including a step-by-step tutorial.
One of these PoCs has also been embedded into an all-in-one Struts exploitation toolkit that combines previous Struts remote code execution flaws into a hacker's dream.
Someone has released a tool for automatically exploiting Apache Struts servers via 3 well-known RCEs:
— Catalin Cimpanu (@campuscodi) August 27, 2018
CVE-2013-2251
CVE-2017-5638
CVE-2018-11776
Surprisingly, CVE-2017-9805 is not on there, despite being more recent and already-existing PoCshttps://t.co/4qgZJpVbYG pic.twitter.com/6y8vWXlaCE
But despite the publication of so many PoCs and Struts hacking tools, attacks did not happen immediately.
Two cyber-security firms, Greynoise Intelligence and Volexity, say they've detected threat actors scanning for Struts servers starting last week, but they did not identify any attempts of exploitation.
GreyNoise has observed one (1) host (192.173.146.40) opportunistically testing sections of the Internet for the recent Apache Struts vuln (CVE-2018-11776), but no weaponized exploits have been observed yet. We will report when wide scale opportunistic exploitation is observed.
— GreyNoise Intelligence (@GreyNoiseIO) August 24, 2018
First attacks started yesterday
Active attempts to exploit CVE-2018-11776 did not start until late last night.
"The first exploitation attempts we observed took place yesterday, August 27," Matthew Meltzer, security analyst for Volexity, told Bleeping Computer in a private conversation today.
"We are seeing the scans and exploit attempts fairly broadly across a wide array of geographically dispersed targets," Meltzer added.
Greynoise confirmed Meltzer's findings earlier today, on Twitter. Greynoise says scans and attempts to exploit this flaw were recorded from four IPs, which the company's experts believe to be part of the same botnet —192.173.146.40, 202.189.2.94, 182.23.83.30, and 95.161.225.94.
Over the past 24 hours GreyNoise has observed three (3) additional distinct hosts (202.189.2.94, 182.23.83.30, 95.161.225.94) crawl the Internet to test for this vulnerability as well, all using the same tooling. This indicates that these hosts are likely part of the same botnet pic.twitter.com/K7tg6mxDEs
— GreyNoise Intelligence (@GreyNoiseIO) August 28, 2018
In a report on its blog, Volexity also confirmed that some scans came from 95.161.225.94, but also from 167.114.171.27, both known to be at the source of many Internet scanning operations.
"We have seen both IP addresses actively conducting scans over this past year," Meltzer told us.
Attackers infecting servers with coinminers
After analyzing some of these exploitation attempts, Volexity researchers say they were able to pinpoint the exact nature of these attacks.
The company says the group behind these scans is using CVE-2018-11776 to break into Struts apps and contaminate the underlying server with a version of the CNRig cryptocurrency miner downloaded from a BitBucket repository.
Right now, the attacks are small in scale, compared to other threat actors scanning for other vulnerabilities.
"Wide-scale indiscriminate exploitation has still not yet been observed," Greynoise said earlier today.
The reason, as Palo Alto Networks researchers have pointed out, is that Struts apps in their default configs are not vulnerable to CVE-2018-11776, meaning fewer servers are likely to be vulnerable, hence, the effort is not worth for many crooks.
Attackers actively scanning for past Struts flaws as well
But while threat actors aren't showing that much interest in CVE-2018-11776, they are showing interest in older Struts flaws, which have seen a resurgence of activity.
"Following the release of PoC code for CVE-2018-11776, we have also seen an increase in scanning for the older Struts vulnerabilities as well," Meltzer told Bleeping Computer.
If you're setting time aside to patch your Struts-based apps, it may be wise to apply patches for older flaws such as CVE-2013-2251, CVE-2017-5638, and CVE-2017-9805, as well.
The current and most recent Struts flaw, CVE-2018-11776, is known to affect Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The Apache Struts team has patched this issue with the release of Struts versions 2.3.35 and 2.5.17. Get patchin'!
Comments
bradleyross - 6 years ago
My personal feeling is that so called Inversion of Control techniques (Struts, Spring, etc.) have secure security problems because the software writes the code that receives the parameters and carries out the processing. Not only is visibility into the workings limited, there will be changes with every update. Furthermore, open source projects allow viewing of beta versions, which means that the malicious actors will often have awareness of vulnerabilities before the legitimate users.
It seems to me that you have to assume that web software of this type will contain vulnerabilities and rely on other techniques such as architectural design to provide security.
https://bradleyaross.wordpress.com/2018/04/22/paranoids-guide-to-server-administration/ contains some information that I put together on this subject. Please let me know if you agree or disagree with the contents.