A recently patched Apache Struts 2 vulnerability has been exploited by cybercriminals to deliver Cerber ransomware to Windows systems, researchers warned.
The flaw, tracked as CVE-2017-5638, can be exploited for remote code execution. Malicious actors started exploiting the vulnerability to deliver malware shortly after a patch was made available and a proof-of-concept (PoC) exploit was released.
In many cases, attackers targeted Unix systems with backdoors and distributed denial-of-service (DDoS) bots, but recently experts also spotted a campaign targeting Windows machines.
In the week of March 20, researchers at F5 Networks started seeing attacks delivering Cerber ransomware to Windows servers. Experts at the SANS Technology Institute also reported seeing these attacks on Wednesday.
Cybercriminals have used the exploit to execute shell commands and run BITSAdmin and other command-line tools shipped with Windows. These tools are used to download and execute the Cerber malware.
The ransomware encrypts important files found on the system and demands money in return for the “special decryption software” needed to recover the files.
The Bitcoin address where victims are instructed to send the ransom is the same across multiple campaigns. F5 Networks reported seeing 84 bitcoins, currently worth nearly $100,000, in that address.
“The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers,” F5 said in a blog post. “Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.”
AT&T vulnerable to Apache Struts exploit
The Apache Struts vulnerability has been found to affect many products, including from Cisco and VMware.
Independent security researcher Corben Douglas reported on Wednesday that he tested AT&T systems roughly 4-5 days after the exploit was released and they had been vulnerable to attacks. The expert said he managed to execute commands on AT&T servers, which could have allowed him to “pwn” the company.
Related: Cerber Ransomware Tries to Evade Machine Learning Security
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
Latest News
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
- Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
- US to Adopt New Restrictions on Using Commercial Spyware
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
