Security Experts:

Connect with us

Hi, what are you looking for?



Apache Struts Flaw Used to Deliver Cerber Ransomware

A recently patched Apache Struts 2 vulnerability has been exploited by cybercriminals to deliver Cerber ransomware to Windows systems, researchers warned.

A recently patched Apache Struts 2 vulnerability has been exploited by cybercriminals to deliver Cerber ransomware to Windows systems, researchers warned.

The flaw, tracked as CVE-2017-5638, can be exploited for remote code execution. Malicious actors started exploiting the vulnerability to deliver malware shortly after a patch was made available and a proof-of-concept (PoC) exploit was released.

In many cases, attackers targeted Unix systems with backdoors and distributed denial-of-service (DDoS) bots, but recently experts also spotted a campaign targeting Windows machines.

In the week of March 20, researchers at F5 Networks started seeing attacks delivering Cerber ransomware to Windows servers. Experts at the SANS Technology Institute also reported seeing these attacks on Wednesday.

Cybercriminals have used the exploit to execute shell commands and run BITSAdmin and other command-line tools shipped with Windows. These tools are used to download and execute the Cerber malware.

The ransomware encrypts important files found on the system and demands money in return for the “special decryption software” needed to recover the files.

The Bitcoin address where victims are instructed to send the ransom is the same across multiple campaigns. F5 Networks reported seeing 84 bitcoins, currently worth nearly $100,000, in that address.

“The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers,” F5 said in a blog post. “Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.”

AT&T vulnerable to Apache Struts exploit

The Apache Struts vulnerability has been found to affect many products, including from Cisco and VMware.

Independent security researcher Corben Douglas reported on Wednesday that he tested AT&T systems roughly 4-5 days after the exploit was released and they had been vulnerable to attacks. The expert said he managed to execute commands on AT&T servers, which could have allowed him to “pwn” the company.

Related: Cerber Ransomware Tries to Evade Machine Learning Security

Related: Cerber Ransomware Delivered via Google, Tor2web

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.