Pierluigi Paganini April 07, 2017

Cyber criminals exploited the recently patched Apache Struts 2 vulnerability CVE-2017-5638 in the wild to deliver the Cerber ransomware.

A recently patched Apache Struts 2 vulnerability, tracked as CVE-2017-5638, has been exploited by crooks in the wild to deliver the Cerber ransomware.

The remote code execution vulnerability affected the Jakarta-based file upload Multipart parser under Apache Struts 2. The CVE-2017-5638 flaw was documented in Rapid7’s Metasploit Framework GitHub site and researchers at Cisco Talos discovered that attackers in the wild are exploiting a publicly available PoC code that triggers the issue.

The attackers targeted both Unix and Windows systems to establish backdoor or to infect the system with a DDoS trojan. The recent campaign spotted by researchers at F5 Networks targeted Windows machines.

Since March 20, the experts observed attacks delivering Cerber ransomware to Windows servers.

“This campaign started on the 10^th of March, 2017 a couple of days after the vulnerability was disclosed. While it looked similar to the other CVE-2017-5638 campaigns, the attack vector seemed to be a slight modification of the original public exploit.” reads the blog post published by F5 Networks.

“The exploit triggers the vulnerability via the Content-Type header value, which the attacker customized with shell commands to be executed if the server is vulnerable.”

“Since about a month, we are tracking numerous attempts to exploit the Java Struts2 vulnerability (CVE 2017-5638). Typically, the exploits targeted Unix systems with simple Perl backdoors and bots.” states an analysis published by experts at the SANS Technology Institute. “But recently, I saw a number of exploit attempts targeting Windows systems using a variant of the Cerber ransomware.”

Crooks exploited the CVE-2017-5638 vulnerability to run Windows tools like shell commands and ITSAdmin to download and execute the Cerber malware.

Below the attack sequence observed by the researchers at the SANS Institute:

1. The script uses BITSAdmin to download the malware (I obfuscated the URL above.
2. The malware (“UnInstall.exe”) is saved in the %TEMP% directory
3. finally, the malware is executed.

The experts at F5 Network analyzed the Bitcoin address where victims are told to send the payment of the ransom and discovered that 84 bitcoins, roughly $100,000 at the current market value.

“The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers,” F5 said in a blog post. “Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cerber ransomware, CVE-2017-5638 vulnerability)