• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Security  /  Chinese, Russian hackers counting on Apache Struts vulnerabilities – a report by Quick Heal Security Labs
07 March 2018

Chinese, Russian hackers counting on Apache Struts vulnerabilities – a report by Quick Heal Security Labs

Written by Sameer Patil
Sameer Patil
Security
  • 13
    Shares
Estimated reading time: 4 minutes

Apache Struts is an open-source CMS based on MVC framework for developing Java EE Web Applications. Apache Struts has been widely used by many Fortune 100 companies and government agencies over the years for developing web applications. But, websites built using a CMS constantly need to upgrade the CMS versions in their web application servers, because vulnerabilities in the CMS framework directly impact the security of the entire website.

As observed by Quick Heal Security Labs, Apache Struts has been a target of mostly Russian and Chinese hackers since January 2018.

Fig 1. Apache Struts exploit attempts blocked in 2 months
Fig 1. Apache Struts exploit attempts blocked in 2 months

These constant hits in our IDS/IPS telemetry for Apache Struts attacks suggest that hackers will target the framework for a longer time.

Some of the prominent Apache Struts remote code execution vulnerabilities blocked by Quick Heal IDS/IPS are:

  • CVE-2017-5638
  • CVE-2017-12611
  • CVE-2017-9791
  • CVE-2017-9805

Details about these vulnerabilities 

CVE-2017-5638 was the first critical vulnerability of 2017 fixed by Apache. The vulnerability has a CVSS score of 10 indicating the criticality of the exploit. The vulnerability is present in Jakarta Multipart parser triggered during improper handling of a file upload. Arbitrary commands are sent through a crafted Content-Type HTTP header. 

Fig 2. Crafted Content-Type Header for exploiting CVE-2017-5638
Fig 2. Crafted Content-Type Header for exploiting CVE-2017-5638

Just after a few days of release of an advisory by Apache in March 2017, exploitation attempts were seen in the wild. As not many were aware about the vulnerability at that time, hackers took advantage and started scanning servers for vulnerable unpatched versions of Struts.

Equifax, a major credit reporting agency, became a victim of such an attack leading to one of the biggest data breaches in history. Hackers were able to steal confidential data of 143 million users. Failure to deploy patches for the same vulnerability itself was the reason behind the breach.

Then came the CVE-2017-9791 vulnerability, which was patched by Apache in July, allows to perform an RCE attack when an untrusted input is passed as a part of the error message in the ActionMessage class. Shown below is an example of a malicious payload sent as POST request to “/struts-showcase/integration/saveGangster.action” URI.

Fig 3. Crafted HTTP POST request body for exploiting CVE-2017-9791
Fig 3. Crafted HTTP POST request body for exploiting CVE-2017-9791

The vulnerability exists in the Struts Showcase application and the RCE is achieved by running malicious code using the OGNL expressions in the same way as it was used in CVE-2017-5638.

CVE-2017-9805 is again a remote code execution attack fixed in September 2017. The bug triggers when using the Struts REST plugin with XStream handler to handle XML payloads. The XStream handler’s toObject() method incorrectly deserializes an object sent by the user in the form of XML requests.

Fig 4. Crafted XML payload containing injected command in serialized XML object
Fig 4. Crafted XML payload containing injected command in serialized XML object

Similarly, CVE-2017-12611 was another Apache Struts vulnerability which can be exploited through a crafted URI containing sequence of commands to be executed on the Apache server. The exploit uses an unintentional expression in a Freemarker tag instead of string literals which leads to an RCE attack.

The exploit payload for this vulnerability appears in the URL string as shown below:

Fig 5. Crafted URL string containing payload for exploiting CVE-2017-12611
Fig 5. Crafted URL string containing payload for exploiting CVE-2017-12611

The OGNL (Object Graph Navigation Library) is an open-source Expression Language (EL) used for getting and setting the properties of Java objects. If an attacker can evaluate arbitrary OGNL expressions, they can execute an arbitrary code or modify resources stored on the application server.

Except CVE-2017-9805, the remaining three exploits used OGNL expressions for performing RCE. Hence, it advised for website administrators to keep a watch on requests containing OGNL to avoid getting exploited by any zero day vulnerability.

Let’s have a look at the geographical distribution of the attacks we have seen.

The geomap shown below shows the locations of all attacker IPs mentioned.

Fig 6. Geomap source of infection (IP address)
Fig 6. Geomap source of infection (IP address)

Approximately 83% of attack source IPs are located in Russia and China.

The following is the list of IPs from where we are observing most of these attacks:

  • 5.188.10.105
  • 222.186.50.75
  • 123.249.27.28
  • 120.203.197.58
  • 115.236.16.26
  • 62.196.180.28
  • 119.249.54.93
  • 58.215.65.231
  • 211.159.187.138
  • 122.112.224.61

On the other hand, the target IP location of the attacks is quite well distributed indicating that the attacks are widespread in nature and less targeted over a specific country or region. Europe, USA, India, China and some regions of Africa seem to have experienced these attacks in high volume as shown below.

Fig 7. Geo heat map of victim IPs location
Fig 7. Geo heat map of victim IPs location

We have mainly seen attackers targeting the servers for installing Linux backdoors and for installing cryptocurrency miner software. Cryptocoins like Monero bring in huge profits which is why attackers are hacking into as many servers as possible to generate maximum number of coins.

We strongly recommend users to upgrade their Apache Struts installation to latest software release and also apply the latest security updates by Quick Heal.

References:

  • http://blogs.quickheal.com/cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability/
  • http://blogs.quickheal.com/cve-2017-9805-apache-struts-2-remote-code-execution-vulnerability-quick-heal-security-labs/
  • https://www.scmagazine.com/equifax-twice-missed-finding-apache-struts-vulnerability-allowing-breach-to-happen/article/697693/

Subject Matter Experts

Sameer Patil | Quick Heal Security Labs

 Previous PostSeqrite Endpoint Security Cloud: The future of endpoint security
Next Post  Big data leads to big breaches: Know the pitfalls
Sameer Patil
About Sameer Patil

Sameer Patil is part of the IPS team in Quick Heal. He has 4 years of experience working in different security products and architectures. His interest lies in...

Articles by Sameer Patil »

Related Posts

  • Is your Router exposed to cyber threats

    Is your router exposed to cyber threats? Here is how to safeguard it.

    July 30, 2020
  • Snake ransomware stings to spread its venom in the veins of enterprise networks.

    Snake Ransomware brings impending doom to enterprise networks

    July 10, 2020
  • APT harbingers are using Honey Traps to attack Indian Defence.

    Operation ‘Honey Trap’: APT36 Targets Defence Organizations in India

    July 8, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond Turn the Page: Cybersecurity Predictions for 2021 & beyond February 18, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.