Security Experts:

Apache Struts Flaw Used to Deliver Cerber Ransomware

A recently patched Apache Struts 2 vulnerability has been exploited by cybercriminals to deliver Cerber ransomware to Windows systems, researchers warned.

The flaw, tracked as CVE-2017-5638, can be exploited for remote code execution. Malicious actors started exploiting the vulnerability to deliver malware shortly after a patch was made available and a proof-of-concept (PoC) exploit was released.

In many cases, attackers targeted Unix systems with backdoors and distributed denial-of-service (DDoS) bots, but recently experts also spotted a campaign targeting Windows machines.

In the week of March 20, researchers at F5 Networks started seeing attacks delivering Cerber ransomware to Windows servers. Experts at the SANS Technology Institute also reported seeing these attacks on Wednesday.

Cybercriminals have used the exploit to execute shell commands and run BITSAdmin and other command-line tools shipped with Windows. These tools are used to download and execute the Cerber malware.

The ransomware encrypts important files found on the system and demands money in return for the “special decryption software” needed to recover the files.

The Bitcoin address where victims are instructed to send the ransom is the same across multiple campaigns. F5 Networks reported seeing 84 bitcoins, currently worth nearly $100,000, in that address.

“The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers,” F5 said in a blog post. “Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.”

AT&T vulnerable to Apache Struts exploit

The Apache Struts vulnerability has been found to affect many products, including from Cisco and VMware.

Independent security researcher Corben Douglas reported on Wednesday that he tested AT&T systems roughly 4-5 days after the exploit was released and they had been vulnerable to attacks. The expert said he managed to execute commands on AT&T servers, which could have allowed him to “pwn” the company.

Related: Cerber Ransomware Tries to Evade Machine Learning Security

Related: Cerber Ransomware Delivered via Google, Tor2web

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.