Bad actors have been leveraging a disclosed remote code execution exploit in Apache Struts 2 to launch an evolving array of malicious campaigns, including Cerber ransomware attacks, against servers that still use unpatched versions of the software.
An open-source web application framework for developing Java EE web applications, Apache Struts 2 contains the vulnerability CVE-2017-5638, which relates to an error in the way the Apache Jakarta multipart parser parses the HTTP request's Content-Type header. In recent blog post, threat intelligence firm F5 Networks reported that its researchers have observed around 10 different campaigns in the wild that have leveraged this vulnerability.
F5 highlighted one especially notable campaign that has evolved significantly since debuting on March 10. In less than a month's time, its orchestrators have shifted from launching distributed denial of service attacks to engaging in cryptocurrency mining to most recently extorting victims with a Cerber variant. As of March 27, the botnet behind this campaign had amassed more than 2,500 victims, including production servers, F5 noted.
Separately, a SANS Institute ISC InfoSec Forums post by Johannes Ullrich, dean of research at the SANS Technology Institute, similarly warned of numerous Apache Struts exploit attacks that evolved from targeting Unix systems with simple Perl backdoors and bots to infecting Windows systems with Cerber.
In the rapidly evolving campaign reported by F5, attackers at first were using shell commands to infect servers with Perl-based PowerBot malware in order to execute DDoS attacks. According to F5, the bot malware was not written to disk, but instead was redirected to the Perl interpreter, which minimizes the malware's footprint, making it hard to detect. Later, the attackers added the “minerd” crypto coin mining program to the malware package. This program mines coins into several legitimate crypto pools hosted in France under the domain name “crypto-pool.fr”, the blog post continued.
During the week of March 20, the attackers changed strategies again, infecting Windows machines with Cerber ransomware. The variant reportedly is capable of modifying Windows firewall rules in order to prevent installed anti-virus programs from communicating with their servers for the purpose of installing updates and reporting events.
"As we have seen in the past, it is amazing how fast existing threat actors using older web vulnerabilities in their campaigns can adapt to switch to newly released zero-days to deliver the same payloads," F5 commented in its blog post. "This gives them a new vulnerability window to exploit while the defenders install patches."