Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Apache Struts Vulnerability Exploited in Live Attacks

A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.

A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.

The flaw affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

Tracked as CVE-2018-11776, the bug is rather trivial to exploit: because Apache Struts doesn’t properly validate namespace input data, an attacker would only need to insert their own namespace as a parameter in an HTTP request.

Neither the Apache Software Foundation – which announced the availability of patches on August 22 – nor Semmle – the code analysis company that reported the bug in April – provided technical details, but a proof-of-concept (PoC) exploit for the vulnerability was published within days.

Now, Volexity says they have observed the first malicious campaign targeting the vulnerability. The attacks apparently started shortly after the PoC was released.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27,” the security firm reveals.

The observed exploit attempts to retrieve a copy of CNRig Miner from Github (saves it as xrig) and a shell script from BitBucket by performing wget requests to the URLs the two pieces of code reside at.

Among other actions, the shell script removes specific processes, deletes previous instances of the miner, and downloads three ELF cryptomining binaries. These are miner executables target
ing Intel, ARM, and MIPS architectures, which shows the broad scope of the attack.

Advertisement. Scroll to continue reading.

“[I]t shows the miner is capable of running across a wide range of hardware, such as servers, desktops, laptops, IOT devices, wireless routers, and more — nearly any internet connected device running a vulnerable instance of Apache Struts,” Volexity points out.

The BitBucket folder appears to be an open directory that contains both the shell script and the ELF binaries. Mining account name is the same as the BitBucket account name, the security firm says.

Apache Struts framework’s popularity makes it a highly appealing target to cybercriminals and threat actors alike, and it’s no surprise that the recently addressed bug is already being abused for malicious purposes.

A Critical remote code execution flaw addressed in the framework in March 2017 was still being targeted one year later, SANS Internet Storm Center handler Guy Bruneau reported several months ago.

Related: Exploit for Recent Critical Apache Struts Vulnerability Published

Related: Critical Apache Struts 2 Flaw Allows Remote Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.