Hackers are actively exploiting a high severity remote code execution (RCE) vulnerability that enables them to take complete control of Web servers, predominantly used by government agencies, banks and large internet companies.
Attacks using publicly available Apache Struts exploits have escalated over the past 48 hours
The vulnerability affects Apache Struts 2 framework, Cisco’s Talos intelligence and research group has warned. The flaw was patched on Monday, however, the research group has spotted it being used by hackers to inject commands into Struts servers that haven't yet updated the recently released patch.
Researchers are unclear why the vulnerability is being so actively exploited 48 hours after a patch was released. It appears that the Apache Struts maintainers didn't communicate the severity of the flaws while releasing the patch and hackers are using the now publicly known exploits on their chosen servers.
"These are several of the many examples of attacks we are currently observing and blocking. They fall into two broad categories: probing and malware distribution. The payloads being delivered vary considerably, and to their credit, many of the sites have already been taken down and the payloads are no longer available." - Cisco
Tracked as CVE-2017-5638, the vulnerability can be triggered when performing file uploads with the Jakarta Multipart parser. The security flaw is caused due to improper handling of the Content-Type header and allows an unauthenticated attacker to execute commands on the targeted system just like a user running the server.
"If you run it against a vulnerable application, the result will be the remote execution of commands with the user running the server," security researcher Vicente Motos wrote in a post. "We have dedicated hours to reporting to companies, governments, manufacturers, and even individuals to patch and correct the vulnerability as soon as possible, but the exploit has already jumped to the big pages of 'advisories,' and massive attempts to exploit the Internet have already been observed."
The critical security vulnerability affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The flaws were addressed on March 6 with the release of versions 2.3.32 and 220.127.116.11. Cisco Talos first spotted the exploitation attempts, starting March 7, right after someone published a proof-of-concept exploit.
Cisco Systems also noted they are seeing a "high number of exploitation events" by hackers leveraging the publicly available PoC code to carry out a variety of malicious acts. From stopping Linux firewall protections to executing malware on the target systems, the payloads also included IRC bouncers and denial-of-service bots.
Nick Biasini of Cisco warned that we might continue to see widespread exploitation since the vulnerability is "relatively trivial to exploit and there are clearly systems that are potentially vulnerable."