Hackers are targeting a recently revealed critical zero-day vulnerability in the Apache Struts 2 framework that is used in millions of web servers employed by banks, government agencies and large Internet companies.
The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts 2 that allows hackers to inject malicious commands into certain HTTP requests, which are then executed by the Web server.
Researchers at the Cisco Systems Inc.-owned Talos wrote in a blog post that they have observed a “high number of exploitation events” by hackers attempting to carry out a variety of malicious acts. They included using the flaw to make the targeted server distribute malware, including IRC bouncers, scripts that allow hackers to hide their real IP address, as well as denial-of-service bots.
The post added that some of the exploit attempts are relatively simple while others are more sophisticated, including attempts to gain persistence on compromised systems. Another technique is said to target firewalls protecting the targeted server to allow malicious software to be installed.
Rapid 7 Inc. threat analysis and security Researcher Tom Sellers confirmed the attacks were taking place. In an email sent to SiliconANGLE, he noted that their own observations included seemingly harmless commands as well:
Mirroring what the Talos team found, in addition to the attempts to spread malware, Rapid7 saw attackers running what we’d typically consider harmless commands. In the context of this vulnerability, however, we’d strongly caution that these “harmless commands” are in fact working to determine if a target is vulnerable. It’s well within the realm of possibility that we’re watching attackers work to understand the number of vulnerable hosts on the public Internet as an information gathering effort that is part of preparation for a later attack.
The good news is that a patch for the vulnerability has been issued.
“Network and system owners should review their environments for vulnerable hosts immediately,” Sellers added. “If you cannot upgrade immediately, you may wish to investigate other mitigation efforts, such as changing firewall rules or network equipment ALCs to reduce risk.”