Pierluigi Paganini August 28, 2018

According to the threat intelligence firm Volexity, the CVE-2018-11776 vulnerability is already being abused in malicious attacks in the wild.

Just yesterday I wrote about the availability online of the exploit code for the recently discovered Critical remote code execution vulnerability CVE-2018-11776 in Apache Struts 2.

The PoC code was published on GitHub and experts were warning of the risks of massive attacks.

The CVE-2018-11776 vulnerability affects Struts versions from 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

The versions Struts 2.3.35 and 2.5.17 includes the security updates to address the CVE-2018-11776.

Struts developers also published a temporary workaround, but are recommending users to don’t use it and install the updates.

News of the day is that according to the threat intelligence firm Volexity, the flaw is already being abused in malicious attacks.

The vulnerability is trivial to exploit, it is possible to trigger the RCE flaw when namespace value isn’t set for a result defined in underlying xml configurations and at the same time, its upper action(s) configurations have no or wildcard namespace.

According to the experts from the threat intelligence firm Recorded Future, there is an intense activity related to the Struts flaw in a number of Chinese and Russian underground forums.

” Unfortunately, this makes the vulnerability trivial to exploit — in fact, proof-of-concept code has already been released, including a Python script that allows for easy exploitation. Recorded Future has also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.” reads the analysis published by Recorded Future.

“Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it.”

Experts warn that the CVE-2018-11776 flaw is easier to exploit compared to the CVE-2017-5638Apache Struts flaw that was exploited in the Equifax hack.

The number of potentially vulnerable application could be impressive.

Researchers from Volexity announced to have observed the first malicious campaign targeting the vulnerability just after the PoC was published online.

Threat actors are leveraging the flaw in the attempt to install the CNRig cryptocurrency miner.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner.” states the report published by Volexity.

“The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27,” 

The exploit used in the attacks fetch a copy of CNRig Miner from Github (saves it as xrig) and a shell script from BitBucket by performing wget requests to the URLs the two pieces of code reside at.

The shell script removes previous instances of the miner, removes specific processes,  and downloads three ELF crypto mining binaries.

Below the actions performed by the script:

1. Remove any processes containing the keyword rabbit.
2. Look for processes containing the keyword check in the name, removing it if it is not the current process.
3. Remove any instances of upcheck.sh or xrig.
4. Download three ELF cryptomining binaries, chmod them, execute the files, and then remove them.
5. Remove nohup.out.
6. Sleep for ten minutes (600 seconds).

The miners observed in this campaign target multiple architectures, including Intel, ARM, and MIPS.

“The three ELF binaries downloaded are executables for the Intel, ARM, and MIPS architectures.  This is worth noting, as it shows the miner is capable of running across a wide range of hardware, such as servers, desktops, laptops, IOT devices, wireless routers, and more — nearly any internet connected device running a vulnerable instance of Apache Struts.”continues the report from Volexity.

The BitBucket folder involved in the attack contains both the shell script and the ELF binaries. Researchers observed that the mining account name is the same as the BitBucket account name.

I have no doubt, the number of campaigns targeting the CVE-2018-11776 vulnerability will rapidly increase. There is a large number of Apache Struts 2 installs still unpatched that are exposed online.

Pierluigi Paganini

(Security Affairs – CVE-2018-11776, Apache Struts 2)

[adrotate banner=”5″]

[adrotate banner=”13″]