Apache Struts 2 Vulnerability Still Vulnerable and using For CryptoJacking Attack- Research
Apache Struts 2 vulnerability was exposed two weeks ago by Man Yue Mo from the Semmle Security Research team, and it has been fixed by Apache, but security researchers said, it is still vulnerable to exploit and able to mine Cryptocurrency in CryptoJacking campaign.
Apache Struts 2 Vulnerability (CVE-2018-11776) Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in the same time, its upper action(s) have no or wildcard namespace. A same possibility when using URL tag which doesn’t have value and action set and in the same time, its upper action(s) have no or wildcard namespace.
Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.
The vulnerability is using for Cryptojacking to mining Monero Cryptocurrency. The injection point is within the URL and targets on Linux Systems.
In just a few months, many Cryptojacking attacks are increasing to mine cryptocurrencies. So some of the Hackers are now finding ways to capitalizing these crypto coins by stealing it from user’s wallets. CryptoJacking is the process of using your computer silently to mine cryptocurrencies.
It’s quite similar to Ransomware. In Ransomware, your computer device infects through a file extension. But in Cryptojacking it infects your computer through a browser.
The Threat analysis by Liron Segal is a researcher and contributing author for F5 Labs
As with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances. This time, the injection point is within the URL.
The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.
An additional file on the server at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim. So, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.
For some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage and then kill only those processes that utilize 60 percent or more of the CPU resources. This is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.
Previously, Equifax was hit with another vulnerability on its Apache Struts 2 servers (CVE-2017-5638). That attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers and has cost the company over $439 million.