Attacks exploiting highly critical Apache Struts bug are growing again

Hackers are still exploiting the bug to install malware on high-impact sites.

Eight days after developers patched a critical flaw in the Apache Struts Web application framework, there has been no let-up in the volley of attacks attempting to exploit the vulnerability, which affects a disproportionate number of high-impact websites, a security researcher said Tuesday.

As of Tuesday morning, 503 unique IP addresses were attempting to exploit the code execution bug, Jaime Blasco, chief scientist with security firm AlienVault Labs, told Ars. Based on the addresses, the attack origins were most concentrated in China (300 unique IPs), followed by the US (92), Taiwan (71), Hong Kong (15), the Netherlands (9), Russia (4), Canada (3), Italy (3), the UK, (3), and Indonesia (3). In an attempt to go undetected, the attackers in many cases have tweaked the two exploits that were being widely used in last week's wave. AlienVault has responded by updating the signatures it uses to detect the attacks.
The five-year-old vulnerability resides in Web applications that were developed using a buggy version of Apache Struts. In many cases, the use of a single such app allows attackers to inject commands of their choice into the Web server hosting it. Like the attacks seen last week, the exploits are being used to infect vulnerable servers with a wide variety of malware.

"The payloads we are seeing are common Linux backdoors, and some of the attackers are also opening reverse shells," Blasco said. "Once they gain shell access to the system, they can manually upload other tools or install other payloads (Ex: ransomware)."

The vulnerability resides in what's known as the Jakarta file upload multipart parser, which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function. Apache Struts versions affected by the vulnerability include Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10. Servers running any of these versions should upgrade to 2.3.32 or 2.5.10.1 immediately. The vulnerability is indexed as CVE-2017-5638. AlienVault has more about the revived attacks here.

Unfortunately, fixing this critical flaw isn't always as easy as applying a single update and rebooting. That's because in many cases, Web apps must be rebuilt using a patched version of Apache Struts. For older apps, that may require developers to exhume long-forgotten source code and test the finished binary to make sure it doesn't break the rest of the website it's hosted on. Apache Struts is a framework for developing Web apps based on Oracle's larger Java framework. Struts has slowly been phased out in favor of newer developer tools, but it remains used by a significant number of banks, government agencies, and Internet companies.

Organizations that need time to rebuild or retire vulnerable apps should strongly consider using a security management tool to block exploits. The approach is by no means ideal, as attackers regularly camouflage their exploits to evade detection signatures. Still, it can provide a critical barrier of protection during the days or weeks it may take to fully fix vulnerable Web servers.