{"id":85939,"date":"2018-03-07T16:02:57","date_gmt":"2018-03-07T10:32:57","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85939"},"modified":"2018-03-07T16:02:57","modified_gmt":"2018-03-07T10:32:57","slug":"chinese-russian-hackers-counting-apache-struts-vulnerabilities-report-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/chinese-russian-hackers-counting-apache-struts-vulnerabilities-report-quick-heal-security-labs\/","title":{"rendered":"Chinese, Russian hackers counting on Apache Struts vulnerabilities &#8211; a report by Quick Heal Security Labs"},"content":{"rendered":"<p><a href=\"https:\/\/struts.apache.org\/\">Apache Struts<\/a> is an open-source CMS\u00a0based on MVC framework for developing Java EE Web Applications. Apache Struts\u00a0has been\u00a0widely used by\u00a0many\u00a0Fortune 100\u00a0companies and government agencies over the years for developing web applications. But,\u00a0websites built using a CMS constantly need to upgrade the CMS versions in their web application servers, because vulnerabilities in the CMS framework directly impact\u00a0the\u00a0security of the\u00a0entire\u00a0website.<\/p>\n<p>As observed by\u00a0Quick Heal\u00a0Security Labs,\u00a0Apache\u00a0Struts\u00a0has been a target of\u00a0mostly Russian and Chinese hackers since January 2018.<\/p>\n<figure id=\"attachment_85941\" aria-describedby=\"caption-attachment-85941\" style=\"width: 990px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85941 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/stats2-hits.png\" alt=\"Fig 1. Apache Struts exploit attempts blocked in 2 months \" width=\"990\" height=\"282\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/stats2-hits.png 990w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/stats2-hits-300x85.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/stats2-hits-768x219.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/stats2-hits-650x185.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/stats2-hits-789x225.png 789w\" sizes=\"(max-width: 990px) 100vw, 990px\" \/><figcaption id=\"caption-attachment-85941\" class=\"wp-caption-text\">Fig 1. Apache Struts exploit attempts blocked in 2 months<\/figcaption><\/figure>\n<p>These constant hits in our IDS\/IPS telemetry for Apache Struts attacks suggest\u00a0that\u00a0hackers will target the framework for a longer time.<\/p>\n<p>Some of the prominent Apache Struts remote code execution vulnerabilities blocked by Quick Heal IDS\/IPS are:<\/p>\n<ul>\n<li>CVE-2017-5638<\/li>\n<li>CVE-2017-12611<\/li>\n<li>CVE-2017-9791<\/li>\n<li>CVE-2017-9805<\/li>\n<\/ul>\n<p><strong><span class=\"TextRun SCXW41990593\" lang=\"EN-US\" xml:lang=\"EN-US\"><span class=\"NormalTextRun SCXW41990593\">Details<\/span><\/span><span class=\"TextRun SCXW41990593\" lang=\"EN-US\" xml:lang=\"EN-US\"><span class=\"NormalTextRun SCXW41990593\">\u00a0<\/span><\/span><span class=\"TextRun SCXW41990593\" lang=\"EN-US\" xml:lang=\"EN-US\"><span class=\"NormalTextRun SCXW41990593\">about these vulnerabilities<\/span><\/span><span class=\"EOP SCXW41990593\">\u00a0<\/span><\/strong><\/p>\n<p><a class=\"Hyperlink SCXW57425766\" href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-5638\" target=\"_blank\" rel=\"noreferrer noopener\"><span class=\"TextRun Underlined SCXW57425766\" lang=\"EN-US\" xml:lang=\"EN-US\"><span class=\"NormalTextRun SCXW57425766\">CVE-2017-5638<\/span><\/span><\/a><span class=\"TextRun SCXW57425766\" lang=\"EN-US\" xml:lang=\"EN-US\"><span class=\"NormalTextRun SCXW57425766\">\u00a0was the first critical vulnerability of 2017 fixed by Apache. The vulnerability has a CVSS scor<\/span><\/span><span class=\"TextRun SCXW57425766\" lang=\"EN-US\" xml:lang=\"EN-US\"><span class=\"NormalTextRun SCXW57425766\">e of 10 indicating the criticality of the exploit. The vulnerability is present in Jakarta Multipart parser triggered during improper handling of a file upload. Arbitrary commands are sent through a crafted Content-Type HTTP header.\u00a0<\/span><\/span><\/p>\n<figure id=\"attachment_85942\" aria-describedby=\"caption-attachment-85942\" style=\"width: 617px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85942 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/CVE-2017-5638.png\" alt=\"Fig 2. Crafted Content-Type Header for exploiting CVE-2017-5638 \" width=\"617\" height=\"260\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/CVE-2017-5638.png 617w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/CVE-2017-5638-300x126.png 300w\" sizes=\"(max-width: 617px) 100vw, 617px\" \/><figcaption id=\"caption-attachment-85942\" class=\"wp-caption-text\">Fig 2. Crafted Content-Type Header for exploiting CVE-2017-5638<\/figcaption><\/figure>\n<p>Just after a few days of release of\u00a0an\u00a0advisory by Apache in March 2017, exploitation attempts were seen in the wild.\u00a0As\u00a0not many were aware about the vulnerability at that time, hackers took advantage and started scanning servers for vulnerable unpatched versions\u00a0of Struts.<\/p>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Equifax\"><b>Equifax<\/b><\/a>, a major credit reporting agency, became a victim of such an attack leading to one of the biggest data breaches in history. Hackers were able to steal confidential data of\u00a0<b>143 million<\/b><b>\u00a0users<\/b>. Failure to deploy patches\u00a0for the same vulnerability itself was the reason behind the breach.<\/p>\n<p>Then came the\u00a0<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-9791\"><b>CVE-2017-9791<\/b><\/a>\u00a0vulnerability,\u00a0which\u00a0was patched by Apache in July, allows to perform\u00a0an\u00a0RCE attack when an untrusted input is passed as a part of the error message in the\u00a0ActionMessage\u00a0class. Shown below is an example of\u00a0a\u00a0malicious payload sent as POST request to &#8220;<em>\/struts-showcase\/integration\/saveGangster.action<\/em>&#8221; URI.<\/p>\n<figure id=\"attachment_85943\" aria-describedby=\"caption-attachment-85943\" style=\"width: 777px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85943 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/9791.png\" alt=\"Fig 3. Crafted HTTP POST request body for exploiting CVE-2017-9791\" width=\"777\" height=\"278\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/9791.png 777w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/9791-300x107.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/9791-768x275.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/9791-650x233.png 650w\" sizes=\"(max-width: 777px) 100vw, 777px\" \/><figcaption id=\"caption-attachment-85943\" class=\"wp-caption-text\">Fig 3. Crafted HTTP POST request body for exploiting CVE-2017-9791<\/figcaption><\/figure>\n<p>The vulnerability exists in the Struts Showcase application and the RCE is achieved by running malicious code using the OGNL expressions in the same way as it was used in CVE-2017-5638.<\/p>\n<p><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-9805\"><b>CVE-2017-9805<\/b><\/a>\u00a0is again a remote code execution attack fixed in September\u00a02017.\u00a0The bug triggers when using the Struts REST plugin with\u00a0XStream\u00a0handler to handle XML payloads. The\u00a0XStream\u00a0handler&#8217;s\u00a0toObject() method incorrectly deserializes an object sent by the user in the form of XML requests.<\/p>\n<figure id=\"attachment_85944\" aria-describedby=\"caption-attachment-85944\" style=\"width: 616px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85944 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/cve-2017-9805.png\" alt=\"Fig 4. Crafted XML payload containing injected command in serialized XML object \" width=\"616\" height=\"498\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/cve-2017-9805.png 616w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/cve-2017-9805-300x243.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/cve-2017-9805-482x390.png 482w\" sizes=\"(max-width: 616px) 100vw, 616px\" \/><figcaption id=\"caption-attachment-85944\" class=\"wp-caption-text\">Fig 4. Crafted XML payload containing injected command in serialized XML object<\/figcaption><\/figure>\n<p>Similarly,\u00a0<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-12611\"><b>CVE-2017-12611<\/b><\/a>\u00a0was another Apache Struts vulnerability which can be exploited through a crafted URI containing sequence of commands to be executed on\u00a0the\u00a0Apache server. The exploit uses an unintentional expression in a\u00a0Freemarker\u00a0tag instead of string literals which leads to an\u00a0RCE attack.<\/p>\n<p>The exploit payload for this vulnerability appears in the URL string as shown below:<\/p>\n<figure id=\"attachment_85945\" aria-describedby=\"caption-attachment-85945\" style=\"width: 771px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85945 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/CVE-2017-12611a.png\" alt=\"Fig 5. Crafted URL string containing payload for exploiting CVE-2017-12611 \" width=\"771\" height=\"238\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/CVE-2017-12611a.png 771w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/CVE-2017-12611a-300x93.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/CVE-2017-12611a-768x237.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/CVE-2017-12611a-650x201.png 650w\" sizes=\"(max-width: 771px) 100vw, 771px\" \/><figcaption id=\"caption-attachment-85945\" class=\"wp-caption-text\">Fig 5. Crafted URL string containing payload for exploiting CVE-2017-12611<\/figcaption><\/figure>\n<p>The <a href=\"https:\/\/commons.apache.org\/ognl\/\">OGNL<\/a>\u00a0(Object Graph Navigation\u00a0Library) is an open-source Expression Language (EL) used for getting and setting the properties of Java objects. If an attacker can evaluate arbitrary OGNL expressions, they can execute\u00a0an\u00a0arbitrary code or modify resources stored on the application server.<\/p>\n<p>Except CVE-2017-9805,\u00a0the\u00a0remaining three exploits used OGNL expressions for performing RCE. Hence,\u00a0it advised for\u00a0website administrators to keep a watch on requests containing OGNL to avoid getting exploited by any zero day vulnerability.<\/p>\n<p><b>Let<\/b><b>\u2019<\/b><b>s have a loo<\/b><b>k at the geographical distribution of the attacks we have seen.<\/b><\/p>\n<p>The\u00a0geomap\u00a0shown below shows the locations of all attacker IPs mentioned.<\/p>\n<figure id=\"attachment_85947\" aria-describedby=\"caption-attachment-85947\" style=\"width: 531px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85947 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/serverIP-geomap.png\" alt=\"Fig 6. Geomap source of infection (IP address)\" width=\"531\" height=\"226\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/serverIP-geomap.png 531w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/serverIP-geomap-300x128.png 300w\" sizes=\"(max-width: 531px) 100vw, 531px\" \/><figcaption id=\"caption-attachment-85947\" class=\"wp-caption-text\">Fig 6. Geomap source of infection (IP address)<\/figcaption><\/figure>\n<p>Approximately 83% of attack source IPs\u00a0are located in Russia and China.<\/p>\n<p>The\u00a0following is the\u00a0list of IPs from where we are\u00a0observing\u00a0most of these attacks:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/5.188.10.105\">5.188.10.105<\/a><\/li>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/222.186.50.75\">222.186.50.75<\/a><\/li>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/123.249.27.28\">123.249.27.28<\/a><\/li>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/120.203.197.58\">120.203.197.58<\/a><\/li>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/115.236.16.26\">115.236.16.26<\/a><\/li>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/62.196.180.28\">62.196.180.28<\/a><\/li>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/119.249.54.93\">119.249.54.93<\/a><\/li>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/58.215.65.231\">58.215.65.231<\/a><\/li>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/211.159.187.138\">211.159.187.138<\/a><\/li>\n<li><a href=\"https:\/\/www.abuseipdb.com\/check\/122.112.224.61\">122.112.224.61<\/a><\/li>\n<\/ul>\n<p>On the other hand, the target IP\u00a0location of the attacks is quite well distributed indicating that the attacks are widespread in nature and less targeted over a specific country or region. Europe, USA, India, China and some regions of Africa seem\u00a0to have experienced these attacks in high volume as shown below.<\/p>\n<figure id=\"attachment_85948\" aria-describedby=\"caption-attachment-85948\" style=\"width: 524px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-85948 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/03\/geomap1.png\" alt=\"Fig 7. Geo heat map of victim IPs location \" width=\"524\" height=\"231\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/geomap1.png 524w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/03\/geomap1-300x132.png 300w\" sizes=\"(max-width: 524px) 100vw, 524px\" \/><figcaption id=\"caption-attachment-85948\" class=\"wp-caption-text\">Fig 7. Geo heat map of victim IPs location<\/figcaption><\/figure>\n<p>We have mainly seen attackers targeting the servers for installing Linux backdoors and for installing cryptocurrency miner software.\u00a0Cryptocoins\u00a0like\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Monero_(cryptocurrency)\">Monero<\/a>\u00a0bring in\u00a0huge profits\u00a0which is why attackers are hacking into as many servers as possible to generate maximum number of coins.<\/p>\n<p>We strongly recommend users to upgrade their Apache Struts installation to latest software release and also apply the latest security updates by Quick\u00a0Heal.<\/p>\n<p><strong>References<\/strong>:<\/p>\n<ul>\n<li><a href=\"https:\/\/blogs.quickheal.com\/cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability\/\">https:\/\/blogs.quickheal.com\/cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability\/<\/a><\/li>\n<li><a href=\"https:\/\/blogs.quickheal.com\/cve-2017-9805-apache-struts-2-remote-code-execution-vulnerability-quick-heal-security-labs\/\">https:\/\/blogs.quickheal.com\/cve-2017-9805-apache-struts-2-remote-code-execution-vulnerability-quick-heal-security-labs\/<\/a><\/li>\n<li><a href=\"https:\/\/www.scmagazine.com\/equifax-twice-missed-finding-apache-struts-vulnerability-allowing-breach-to-happen\/article\/697693\/\">https:\/\/www.scmagazine.com\/equifax-twice-missed-finding-apache-struts-vulnerability-allowing-breach-to-happen\/article\/697693\/<\/a><\/li>\n<\/ul>\n<p><b>Subject Matter Experts<\/b><\/p>\n<p>Sameer\u00a0Patil\u00a0| Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Apache Struts is an open-source CMS\u00a0based on MVC framework for developing Java EE Web Applications. Apache Struts\u00a0has been\u00a0widely used by\u00a0many\u00a0Fortune 100\u00a0companies and government agencies over the years for developing web applications. But,\u00a0websites built using a CMS constantly need to upgrade the CMS versions in their web application servers, because vulnerabilities in the CMS framework directly [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":85952,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[133,5,36,1395],"tags":[1492,1327,1173,561],"class_list":["post-85939","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacker","category-security","category-security-patch","category-vulnerability","tag-apache-struts","tag-cve","tag-exploit","tag-vulnerabilities"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85939"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=85939"}],"version-history":[{"count":6,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85939\/revisions"}],"predecessor-version":[{"id":85954,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85939\/revisions\/85954"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/85952"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=85939"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=85939"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=85939"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}