UPDATED 23:24 EST / MARCH 09 2017

INFRA

Critical Apache Struts 2 web server vulnerability targeted by hackers

Hackers are targeting a recently revealed critical zero-day vulnerability in the Apache Struts 2 framework that is used in millions of web servers employed by banks, government agencies and large Internet companies.

The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts 2 that allows hackers to inject malicious commands into certain HTTP requests, which are then executed by the Web server.

Researchers at the Cisco Systems Inc.-owned Talos wrote in a blog post that they have observed a “high number of exploitation events” by hackers attempting to carry out a variety of malicious acts. They included using the flaw to make the targeted server distribute malware, including IRC bouncers, scripts that allow hackers to hide their real IP address, as well as denial-of-service bots.

The post added that some of the exploit attempts are relatively simple while others are more sophisticated, including attempts to gain persistence on compromised systems. Another technique is said to target firewalls protecting the targeted server to allow malicious software to be installed.

Rapid 7 Inc. threat analysis and security Researcher Tom Sellers confirmed the attacks were taking place. In an email sent to SiliconANGLE, he noted that their own observations included seemingly harmless commands as well:

Mirroring what the Talos team found, in addition to the attempts to spread malware, Rapid7 saw attackers running what we’d typically consider harmless commands. In the context of this vulnerability, however, we’d strongly caution that these “harmless commands” are in fact working to determine if a target is vulnerable. It’s well within the realm of possibility that we’re watching attackers work to understand the number of vulnerable hosts on the public Internet as an information gathering effort that is part of preparation for a later attack.

The good news is that a patch for the vulnerability has been issued.

“Network and system owners should review their environments for vulnerable hosts immediately,” Sellers added. “If you cannot upgrade immediately, you may wish to investigate other mitigation efforts, such as changing firewall rules or network equipment ALCs to reduce risk.”

Photo: John5199/Wikimedia Commons

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.