Apache Struts 2 :RCE(Remote Code Execution) vulnerability
Attackers
are exploiting a vulnerability patched last month in the Apache
Struts web development framework to install ransomware on servers.
The
SANS Internet Storm Center issued an alert Thursday, saying an attack
campaign is compromising Windows servers through a vulnerability
tracked as CVE-2017-5638.
The
flaw is located in the Jakarta Multipart parser in Apache Struts 2
and allows attackers to execute system commands with the privileges
of the user running the web server process.
This
vulnerability was patched on March 6 in Struts versions 2.3.32 and
2.5.10.1. Attackers started exploiting the flaw almost immediately,
leaving very little time for server administrators to deploy the
update.
While
the initial attack campaigns deployed simple backdoors and Unix bots,
the latest attacks seen by researchers from SANS is deploying a
potentially much more damaging malware: the Cerber ransomware
program.
Cerber
appeared over a year ago and has had time to mature. It is well
developed and its encryption implementation has no known flaws that
could allow the free recovery of files.
Struts
is widely used for application development in enterprise environments
and this is not the first time when server enterprise server software
has been exploited to install ransomware. Last year, attackers took
advantage of a vulnerability in the JBoss application server in a
similar manner.
Server
administrators who haven't updated their Struts deployments should do
so as soon as possible. Also, since this vulnerability allows command
execution with the privileges of the user running the application, so
its good to run the process from unprivileged accounts.
Furthermore,
application whitelisting policies can be used on Windows servers to
limit which applications unprivileged users can execute, blocking the
ability of attackers to execute ransomware or other malicious
programs.
Apache Struts 2 (CVE-2017-5638) Exploit Analysis
Industries Targeted: Education (37%), Technology (5%), Finance (4%), Healthcare (28%), State/Local/Federal Government (<1 business="" construction="" eal="" estate="" everage="" font="" food="" gaming="" manufacturing="" nosn-profit="" ntertainment="" retail="" services="">1>
NTT
Security noticed exploit attempts almost immediately after signatures
were installed.
Exploit Intentions – Reconnaissance
Post-exploit
intentions were either to download malware or for reconnaissance
efforts. Reconnaissance accounted for 69 percent of all exploit
attempts, but in a few instances threat actors were attempting to
disable local firewalls and download malware. Several payloads
indicated threat actors were attempting to use common Linux commands
such as ifconfig, uname –r, echo and more. As stated previously,
some of the payloads attempted to use wget to a remote server page,
which is believed to be used for tracking purposes as there was no
attempt to change the permissions of any downloaded binaries, and
there were no attempts to execute any local file.
Exploit Intentions – Installation
payloads
showed attempts to disable local firewalls like iptables and
SuSEfirewall2. If firewalls were successfully disabled, threat actors
would then attempt to download malware from remote locations over
specific ports.
Predictive Analysis:
exploit
attempts against CVE-2017-5638 will continue because of the
simplicity of the vulnerability, popularity of the product and the
ability to execute code remotely. Probing attempts in which threat
actors are using wget to test if retrieving additional files is
possible on vulnerable machines indicates threat actors will be
targeting this list of hosts sooner rather than later.
Affected Systems:
-
Apache Struts versions 2.3.5 – 2.3.3
-
Apache Struts versions 2.5.0 – 2.5.10
Mitigation and Recommended Actions:
-
Upgrade to Struts 2.3.32 or Struts 2.5.10.1
-
Implement a Servlet filter which will validate Content-Type and throw away requests with suspicious values not matching multipart/form-data
-
Change to a different multipart parser such as Pell or the parser from the Commons-File Upload Library
Malware Hashes:
0132c766b1855c27819d9c108c7954c2
14782a44772c0b5fa69168b58ee6c9cd
58e50a7a0b76ce7601ae0096bb499d55
706b501e23b7dd3acac547daaa1298a2
7b2e2d5b06ed82d204a1d651a69d1845
cdc457633178e845bb4b306531a4588b
e6408aa9db0a1e09c8028f87d3a8f0cf
f8886fb4e56dbfd877eb8b8a5d125844
14782a44772c0b5fa69168b58ee6c9cd
58e50a7a0b76ce7601ae0096bb499d55
706b501e23b7dd3acac547daaa1298a2
7b2e2d5b06ed82d204a1d651a69d1845
cdc457633178e845bb4b306531a4588b
e6408aa9db0a1e09c8028f87d3a8f0cf
f8886fb4e56dbfd877eb8b8a5d125844
Comments
Post a Comment