Eight days after developers patched a critical flaw in the Apache Struts Web application framework, there has been no let-up in the volley of attacks attempting to exploit the vulnerability, which affects a disproportionate number of high-impact websites, a security researcher said Tuesday.
As of Tuesday morning, 503 unique IP addresses were attempting to exploit the code execution bug, Jaime Blasco, chief scientist with security firm AlienVault Labs, told Ars. Based on the addresses, the attack origins were most concentrated in China (300 unique IPs), followed by the US (92), Taiwan (71), Hong Kong (15), the Netherlands (9), Russia (4), Canada (3), Italy (3), the UK, (3), and Indonesia (3). In an attempt to go undetected, the attackers in many cases have tweaked the two exploits that were being widely used in last week’s wave. AlienVault has responded by updating the signatures it uses to detect the attacks.
The five-year-old vulnerability resides in Web applications that were developed using a buggy version of Apache Struts. In many cases, the use of a single such app allows attackers to inject commands of their choice into the Web server hosting it. Like the attacks seen last week, the exploits are being used to infect vulnerable servers with a wide variety of malware.
“The payloads we are seeing are common Linux backdoors, and some of the attackers are also opening reverse shells,” Blasco said. “Once they gain shell access to the system, they can manually upload other tools or install other payloads (Ex: ransomware).”
The vulnerability resides in what’s known as the Jakarta file upload multipart parser, which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function. Apache Struts versions affected by the vulnerability include Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10. Servers running any of these versions should upgrade to 2.3.32 or 18.104.22.168 immediately. The vulnerability is indexed as CVE-2017-5638. AlienVault has more about the revived attacks here.
DAN GOODIN – 3/14/2017, 7:53 PM