Apache Struts logo

After last week a security researcher revealed a vulnerability in Apache Struts, a piece of very popular enterprise software, active exploitation attempts have started this week.

The vulnerability in question is tracked as CVE-2018-11776, a remote code execution flaw that allows an attacker to gain control over Struts-based web applications.

The vulnerability is not exploitable in default Struts configurations, according to an analysis by Palo Alto Networks, but the flaw is of interest to everyone, mainly because Struts is used by some of the world's largest companies (including Equifax, which suffered a major data breach last year because of a Struts flaw).

Multiple PoCs released last week

Over the course of last week, several security researchers have put together different proof-of-concept (PoC) scripts for CVE-2018-11776 [1, 2, 3, 4], including a step-by-step tutorial.

One of these PoCs has also been embedded into an all-in-one Struts exploitation toolkit that combines previous Struts remote code execution flaws into a hacker's dream.

But despite the publication of so many PoCs and Struts hacking tools, attacks did not happen immediately.

Two cyber-security firms, Greynoise Intelligence and Volexity, say they've detected threat actors scanning for Struts servers starting last week, but they did not identify any attempts of exploitation.

First attacks started yesterday

Active attempts to exploit CVE-2018-11776 did not start until late last night.

"The first exploitation attempts we observed took place yesterday, August 27," Matthew Meltzer, security analyst for Volexity, told Bleeping Computer in a private conversation today.

"We are seeing the scans and exploit attempts fairly broadly across a wide array of geographically dispersed targets," Meltzer added.

Greynoise confirmed Meltzer's findings earlier today, on Twitter. Greynoise says scans and attempts to exploit this flaw were recorded from four IPs, which the company's experts believe to be part of the same botnet —192.173.146.40, 202.189.2.94, 182.23.83.30, and 95.161.225.94.

In a report on its blog, Volexity also confirmed that some scans came from 95.161.225.94, but also from 167.114.171.27, both known to be at the source of many Internet scanning operations.

"We have seen both IP addresses actively conducting scans over this past year," Meltzer told us.

Attackers infecting servers with coinminers

After analyzing some of these exploitation attempts, Volexity researchers say they were able to pinpoint the exact nature of these attacks.

The company says the group behind these scans is using CVE-2018-11776 to break into Struts apps and contaminate the underlying server with a version of the CNRig cryptocurrency miner downloaded from a BitBucket repository.

Right now, the attacks are small in scale, compared to other threat actors scanning for other vulnerabilities.

"Wide-scale indiscriminate exploitation has still not yet been observed," Greynoise said earlier today.

The reason, as Palo Alto Networks researchers have pointed out, is that Struts apps in their default configs are not vulnerable to CVE-2018-11776, meaning fewer servers are likely to be vulnerable, hence, the effort is not worth for many crooks.

Attackers actively scanning for past Struts flaws as well

But while threat actors aren't showing that much interest in CVE-2018-11776, they are showing interest in older Struts flaws, which have seen a resurgence of activity.

"Following the release of PoC code for CVE-2018-11776, we have also seen an increase in scanning for the older Struts vulnerabilities as well," Meltzer told Bleeping Computer.

If you're setting time aside to patch your Struts-based apps, it may be wise to apply patches for older flaws such as CVE-2013-2251, CVE-2017-5638, and CVE-2017-9805, as well.

The current and most recent Struts flaw, CVE-2018-11776, is known to affect Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The Apache Struts team has patched this issue with the release of Struts versions 2.3.35 and 2.5.17. Get patchin'!

Related Articles:

Hackers exploit critical RCE flaw in Bricks WordPress site builder

SolarWinds fixes critical RCE bugs in access rights audit solution

JetBrains warns of new TeamCity auth bypass vulnerability

45k Jenkins servers exposed to RCE attacks using public exploits

CISA tags Microsoft SharePoint RCE bug as actively exploited