Apache Struts 2 :RCE(Remote Code Execution) vulnerability

-


Attackers are exploiting a vulnerability patched last month in the Apache Struts web development framework to install ransomware on servers.
The SANS Internet Storm Center issued an alert Thursday, saying an attack campaign is compromising Windows servers through a vulnerability tracked as CVE-2017-5638.
The flaw is located in the Jakarta Multipart parser in Apache Struts 2 and allows attackers to execute system commands with the privileges of the user running the web server process.
This vulnerability was patched on March 6 in Struts versions 2.3.32 and 2.5.10.1. Attackers started exploiting the flaw almost immediately, leaving very little time for server administrators to deploy the update.
While the initial attack campaigns deployed simple backdoors and Unix bots, the latest attacks seen by researchers from SANS is deploying a potentially much more damaging malware: the Cerber ransomware program.
Cerber appeared over a year ago and has had time to mature. It is well developed and its encryption implementation has no known flaws that could allow the free recovery of files.
Struts is widely used for application development in enterprise environments and this is not the first time when server enterprise server software has been exploited to install ransomware. Last year, attackers took advantage of a vulnerability in the JBoss application server in a similar manner.
Server administrators who haven't updated their Struts deployments should do so as soon as possible. Also, since this vulnerability allows command execution with the privileges of the user running the application, so its good to run the process from unprivileged accounts.
Furthermore, application whitelisting policies can be used on Windows servers to limit which applications unprivileged users can execute, blocking the ability of attackers to execute ransomware or other malicious programs.

Apache Struts 2 (CVE-2017-5638) Exploit Analysis


Industries Targeted: Education (37%), Technology (5%), Finance (4%), Healthcare (28%), State/Local/Federal Government (<1 business="" construction="" eal="" estate="" everage="" font="" food="" gaming="" manufacturing="" nosn-profit="" ntertainment="" retail="" services="">
NTT Security noticed exploit attempts almost immediately after signatures were installed.

Exploit Intentions – Reconnaissance

Post-exploit intentions were either to download malware or for reconnaissance efforts. Reconnaissance accounted for 69 percent of all exploit attempts, but in a few instances threat actors were attempting to disable local firewalls and download malware. Several payloads indicated threat actors were attempting to use common Linux commands such as ifconfig, uname –r, echo and more. As stated previously, some of the payloads attempted to use wget to a remote server page, which is believed to be used for tracking purposes as there was no attempt to change the permissions of any downloaded binaries, and there were no attempts to execute any local file.

Exploit Intentions – Installation

payloads showed attempts to disable local firewalls like iptables and SuSEfirewall2. If firewalls were successfully disabled, threat actors would then attempt to download malware from remote locations over specific ports.

Predictive Analysis:

exploit attempts against CVE-2017-5638 will continue because of the simplicity of the vulnerability, popularity of the product and the ability to execute code remotely. Probing attempts in which threat actors are using wget to test if retrieving additional files is possible on vulnerable machines indicates threat actors will be targeting this list of hosts sooner rather than later.

Affected Systems:

  • Apache Struts versions 2.3.5 – 2.3.3
  • Apache Struts versions 2.5.0 – 2.5.10

Mitigation and Recommended Actions:

  • Upgrade to Struts 2.3.32 or Struts 2.5.10.1
  • Implement a Servlet filter which will validate Content-Type and throw away requests with suspicious values not matching multipart/form-data
  • Change to a different multipart parser such as Pell or the parser from the Commons-File Upload Library

Malware Hashes:

0132c766b1855c27819d9c108c7954c2
14782a44772c0b5fa69168b58ee6c9cd
58e50a7a0b76ce7601ae0096bb499d55
706b501e23b7dd3acac547daaa1298a2
7b2e2d5b06ed82d204a1d651a69d1845
cdc457633178e845bb4b306531a4588b
e6408aa9db0a1e09c8028f87d3a8f0cf
f8886fb4e56dbfd877eb8b8a5d125844

Comments

Post a Comment

Popular posts from this blog

How to Repair Kali Linux grub after installing Windows in Dual boot System

-
Image
If your System has primary OS Windows then you install your secondary OS Kali Linux. That will be OK, Kali Linux puts boot entry of Windows automatically for you. At initial boot menu you can see both OS entry to boot. If your windows is corrupt in dual boot system or if you want to install windows as secondary OS after installing Kali Linux as primary OS. You may face corrupt boot-loader menu. You wont be able to boot Kali Linux any more because Windows wont put entry of Kali Linux automatically in their boot menu. So this post motive is to help those guys which are facing those problems subjecting to corrupt Boot-loader. There are mainly two methods: 1. Repair Grub via Kali Linux live USB. 2. Repair Grub Via Boot-rapair-disk. Method 1# Repair Grub via Kali Linux live USB It is up to you which you want to choose but if you are Linux familiar then go for this method. Requirements 1. A Kali Linux ISO image. You can download here: Download Kali Linux
Read more

PDFCrack - Password Cracking Tool for PDF-files

-
Image
PDFcrack is a GNU/Linux tool for cracking password protected PDF files. It is a very small command line application. It is not preinstalled in kali linux. We can install through command line. For installing pdfcrack open a terminal and enter apt install pdfcrack Syntax and options Usage: pdfcrack -f filename [OPTIONS]           : pdfcrack -f filenmae -w passwordfile.txt OPTIONS : -b, --bench perform benchmark and exit -c, --charset=STRING Use the characters in STRING as charset -w, --wordlist=FILE Use FILE as source of passwords to try -n, --minpw=INTEGER Skip trying passwords shorter than this -m, --maxpw=INTEGER Stop when reaching this passwordlength -l, --loadState=FILE Continue from the state saved in FILENAME -o, --owner Work with the ownerpassword -u, --user Work with the userpassword (default) -p, --password=STRING Give userpassword to speed up breaking ownerpassword (implies -o) -q, --quiet Run quietly -s,
Read more

Avet – Open Source Anti-Virus Evasion Tool

-
Image
When we want to perform an exploitation to a windows target, we need a payload that is undetectable to Antivirus Solutions. Msfvenom on its own is not enough. So we need an AV evasion tool to make this easy for us. Avet is a tool for building exe files with shellcode payloads for antivirus evasion. Installing Avet First clone the repository to our machine. git clone https://github.com/govolution/avet.git   After that go inside the folder and run the setup file to install wine and other missing components. cd avet/       Run the setup file to install the missing components.   ./setup.sh     Select create  for new installation   Running Avet There are two ways to run avet. Run avet by typing the command below. python avet_fabric.py   There are two ways to run avet. Either by compiling the make_avet script as shown below, or by  running the avet_fabric.py script, as shown. gcc -0 make_avet make_avet.c
Read more