Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Apache Struts Vulnerability Exploited in Live Attacks

A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.

A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.

The flaw affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

Tracked as CVE-2018-11776, the bug is rather trivial to exploit: because Apache Struts doesn’t properly validate namespace input data, an attacker would only need to insert their own namespace as a parameter in an HTTP request.

Neither the Apache Software Foundation – which announced the availability of patches on August 22 – nor Semmle – the code analysis company that reported the bug in April – provided technical details, but a proof-of-concept (PoC) exploit for the vulnerability was published within days.

Now, Volexity says they have observed the first malicious campaign targeting the vulnerability. The attacks apparently started shortly after the PoC was released.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27,” the security firm reveals.

The observed exploit attempts to retrieve a copy of CNRig Miner from Github (saves it as xrig) and a shell script from BitBucket by performing wget requests to the URLs the two pieces of code reside at.

Among other actions, the shell script removes specific processes, deletes previous instances of the miner, and downloads three ELF cryptomining binaries. These are miner executables target
ing Intel, ARM, and MIPS architectures, which shows the broad scope of the attack.

Advertisement. Scroll to continue reading.

“[I]t shows the miner is capable of running across a wide range of hardware, such as servers, desktops, laptops, IOT devices, wireless routers, and more — nearly any internet connected device running a vulnerable instance of Apache Struts,” Volexity points out.

The BitBucket folder appears to be an open directory that contains both the shell script and the ELF binaries. Mining account name is the same as the BitBucket account name, the security firm says.

Apache Struts framework’s popularity makes it a highly appealing target to cybercriminals and threat actors alike, and it’s no surprise that the recently addressed bug is already being abused for malicious purposes.

A Critical remote code execution flaw addressed in the framework in March 2017 was still being targeted one year later, SANS Internet Storm Center handler Guy Bruneau reported several months ago.

Related: Exploit for Recent Critical Apache Struts Vulnerability Published

Related: Critical Apache Struts 2 Flaw Allows Remote Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.