Apache Struts 2 Exploit Being Used By Cyber Criminals For Crypto Mining Campaigns

A critical vulnerability has been found in Apache Struts 2 with a PoC for the flaw having been published on the internet. The flaw was patched by the Apache Software Foundation and tracked as CVE-2o18-11776. The vulnerability occurred due to insufficient validation of user data that was untrusted by the Struts framework,  this flaw can lead to a Remote Code Execution.

Did The Apache Foundation Fix the Issue?

The Apache Foundation has released an updated build which protects servers from this attack, sadly if administrators have not yet applied the security patch they might find themselves being a part of a crypto jacking campaign which uses the aforementioned security flaw.

While mining cryptocurrency such as BTC, ETH and Monero is a completely legitimate activity, however if the power is taken without consent from a user, then these activities are known as crypto jacking, which is probably the most common strategy used by the hackers.

Attacks that are taking advantage of this Vulnerability

There is also an attack that takes advantage of this to exploit called CroniX which sends multiple HTTP requests whilst at the same time injecting an Object-Graph Navigation Language (OGNL) which contains malicious JavaScript Code. The code executes and downloads an additional file which launches a PowerShell command on the infected system.

The downloaded malicious script starts in memory which prepares the mining operation. There are also Cron jobs that are set for persistence. The malware also scans and deletes any binaries that are related to previous crypto miners.

“Considering it’s only been two weeks since this vulnerability was found, it’s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild,” F5 Labs says. “Enterprises need be as vigilant as ever about patching affected systems immediately.”

Take your time to comment on this article.

Related posts

Opera Browser Vulnerability Could Allow Exploits Via Browser Extensions

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin