After last week a security researcher revealed a vulnerability in Apache Struts, a piece of very popular enterprise software, active exploitation attempts have started this week.
The vulnerability in question is tracked as CVE-2018-11776, a remote code execution flaw that allows an attacker to gain control over Struts-based web applications.
The vulnerability is not exploitable in default Struts configurations, according to an analysis by Palo Alto Networks, but the flaw is of interest to everyone, mainly because Struts is used by some of the world's largest companies (including Equifax, which suffered a major data breach last year because of a Struts flaw).
One of these PoCs has also been embedded into an all-in-one Struts exploitation toolkit that combines previous Struts remote code execution flaws into a hacker's dream.
Someone has released a tool for automatically exploiting Apache Struts servers via 3 well-known RCEs:— Catalin Cimpanu (@campuscodi) August 27, 2018
Surprisingly, CVE-2017-9805 is not on there, despite being more recent and already-existing PoCshttps://t.co/4qgZJpVbYG pic.twitter.com/6y8vWXlaCE
But despite the publication of so many PoCs and Struts hacking tools, attacks did not happen immediately.
Two cyber-security firms, Greynoise Intelligence and Volexity, say they've detected threat actors scanning for Struts servers starting last week, but they did not identify any attempts of exploitation.
GreyNoise has observed one (1) host (18.104.22.168) opportunistically testing sections of the Internet for the recent Apache Struts vuln (CVE-2018-11776), but no weaponized exploits have been observed yet. We will report when wide scale opportunistic exploitation is observed.— GreyNoise Intelligence (@GreyNoiseIO) August 24, 2018
Active attempts to exploit CVE-2018-11776 did not start until late last night.
"The first exploitation attempts we observed took place yesterday, August 27," Matthew Meltzer, security analyst for Volexity, told Bleeping Computer in a private conversation today.
"We are seeing the scans and exploit attempts fairly broadly across a wide array of geographically dispersed targets," Meltzer added.
Greynoise confirmed Meltzer's findings earlier today, on Twitter. Greynoise says scans and attempts to exploit this flaw were recorded from four IPs, which the company's experts believe to be part of the same botnet —22.214.171.124, 126.96.36.199, 188.8.131.52, and 184.108.40.206.
Over the past 24 hours GreyNoise has observed three (3) additional distinct hosts (220.127.116.11, 18.104.22.168, 22.214.171.124) crawl the Internet to test for this vulnerability as well, all using the same tooling. This indicates that these hosts are likely part of the same botnet pic.twitter.com/K7tg6mxDEs— GreyNoise Intelligence (@GreyNoiseIO) August 28, 2018
In a report on its blog, Volexity also confirmed that some scans came from 126.96.36.199, but also from 188.8.131.52, both known to be at the source of many Internet scanning operations.
"We have seen both IP addresses actively conducting scans over this past year," Meltzer told us.
After analyzing some of these exploitation attempts, Volexity researchers say they were able to pinpoint the exact nature of these attacks.
The company says the group behind these scans is using CVE-2018-11776 to break into Struts apps and contaminate the underlying server with a version of the CNRig cryptocurrency miner downloaded from a BitBucket repository.
Right now, the attacks are small in scale, compared to other threat actors scanning for other vulnerabilities.
"Wide-scale indiscriminate exploitation has still not yet been observed," Greynoise said earlier today.
The reason, as Palo Alto Networks researchers have pointed out, is that Struts apps in their default configs are not vulnerable to CVE-2018-11776, meaning fewer servers are likely to be vulnerable, hence, the effort is not worth for many crooks.
But while threat actors aren't showing that much interest in CVE-2018-11776, they are showing interest in older Struts flaws, which have seen a resurgence of activity.
"Following the release of PoC code for CVE-2018-11776, we have also seen an increase in scanning for the older Struts vulnerabilities as well," Meltzer told Bleeping Computer.
The current and most recent Struts flaw, CVE-2018-11776, is known to affect Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The Apache Struts team has patched this issue with the release of Struts versions 2.3.35 and 2.5.17. Get patchin'!