Attackers Exploit CVE-2018-11776 in Apache Struts to Infect Servers with Coinminers

Delaware, USA – August 30, 2018 – Last week, several PoC exploits were published for the recently patched vulnerability in Apache Struts (CVE-2018-11776) as well as the python script, which simplifies the attack. The vulnerability allows to execute code remotely on servers with the versions of the framework from 2.3 to 2.3.34 and from 2.5 to 2.5.16 installed, and for its exploitation, it is sufficient to use a specially configured URL. Apache Struts is used by a number of the world’s largest enterprises that’s why the discussion at underground forums about the probabilities of attacks on enterprise servers started immediately after the publication of PoC exploit. The first attacks were recorded on August 27 by researchers from Volexity; they spotted the IP addresses from which the vulnerable servers were scanned and analyzed the entire attack chain. IP addresses refer to a single botnet regularly used for Internet scanning operations. After the successful exploitation, the attacked system downloads and runs the shell script and CNRig Miner.

The exploitation of the CVE-2018-11776 vulnerability has not gained much popularity so far, as default Struts configurations are not affected by this flaw, but due to the publication of PoC exploits, attackers started scans for older vulnerabilities in Apache Struts. Apache Foundation released a critical update on August, 22, so it is necessary to update your Struts to versions 2.3.35 or 2.5.17. Also, to timely detect attacks on your business applications that face public Internet, you can use your ArcSight with Web Application Security rule pack from Threat Detection Marketplace: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight