Light Dark
May 16, 2017 By Dave McMillen
Michelle Alvarez
4 min read
Software Vulnerabilities
Advanced Threats
Threat Intelligence

During an outbreak of zero-day attacks, IBM X-Force needs to work fast to assess the threat to inform customers and others of the risk and offer steps to mitigate or resolve the issue. Once the dust settles, though, we like to circle back, review what happened and identify any notable trends.

The attacks launched against the Apache Struts 2 vulnerability (CVE-2017-5638) disclosed in March is a prime example of how quick the black-hat community can leverage zero-day vulnerabilities and set up distributed attack mechanisms. At its peak, according to IBM Managed Security Services (MSS) data, attack activity increased 48 times above the average number of attacks for the time period assessed.

From Zero to 60 in Less Than 24 Hours

Apache Struts 2 is an open source web application framework for developing Java EE applications. On March 6, Apache released security advisory warning about a previously unknown remote code execution (RCE) vulnerability contained within the Jakarta Multipart parser in multiple versions of Apache Struts 2. In less than 24 hours, a Python script was created to take advantage of this weakness, and a Talos report noted “immediate exploitation occurring.”

Visit the X-Force Exchange to Learn More About the Apache Struts 2 Vulnerability

On March 10, IBM X-Force began to see attacks exploiting this vulnerability aimed at monitored clients. These attacks peaked March 23, which coincided with the day Apache released a fix. Although the volume of attack activity subsided considerably within a week of this spike, we are still seeing a persistent volume of activity targeting this vulnerability.

Figure 1: Apache Struts 2 attack metrics (Source: IBM X-Force monitored client data)

Sources and Targets

Our analysis found that almost 50 percent of the attacks originated from China. This is not surprising, since it was reported that the public proof-of-concept code first surfaced on Chinese forums, and Rapid7 reported seeing the first initial attacks from China. Meanwhile, 22 percent of the attacks originated from U.S. The distribution of the top two source countries is similar to what other researchers have reported.

Figure 2: Top sources of where the attacks originated (Source: IBM X-Force monitored client data)

Over 45 percent of all targets were located in the U.S., followed by Australia at 28 percent and the U.K. at 17 percent.

Figure 3: Top locations of the targets of the attack (Source: IBM X-Force monitored client data)

The top attacked industries were education (32 percent), accommodation and food services (23 percent), financial services (23 percent), manufacturing (12 percent) and health care (10 percent).

Organizations in the education sector are often considered easy targets due to a combination of immature patching practices and relaxed monitoring, if any. This combination guaranties relative longevity and persistence of the compromise. However, in general, this was a zero-day campaign. Attackers were focused on finding and exploiting vulnerable targets with little regard for industry.

Figure 4: Top Apache Struts 2 attacked industries (Source: IBM X-Force monitored client data)

Visit the X-Force Exchange to Learn More About the Apache Struts 2 Vulnerability

As Persistent as Shellshock?

As revealed in the 2017 IBM X-Force Threat Intelligence Index, Shellshock attacks, which first surfaced in September 2014, persisted throughout 2016. The vulnerability targeted in these attacks is relatively easy to exploit and unpatched systems are plentiful — and, therefore, worth the attackers’ while.

Will exploitation of this latest Apache Struts 2 vulnerability follow in Shellshock’s footsteps? It’s hard to say. Like the GNU Bash Shell, Apache Struts 2 is widely used. Also, the nature of the vulnerability — code execution — allows attackers to use the compromised machines in wide range of exploitation activities such as distributed denial-of-service (DDoS) botnet attacks and ransomware campaigns.

The combination of publicly available exploit code and lack of appropriate patch management practices across many organizations may perpetuate this threat for the foreseeable future.

Remediating the Apache Struts Vulnerability

So how do you address this issue? Apply the appropriate update for your system. If you are using the Jakarta-based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different implementation of the Multipart parser. Failure to apply patches and fixes leaves your organization at risk of attack.

Additional information can be found on IBM X-Force Exchange.

 |  |  |  |  |  | 
Dave McMillen
Senior Threat Researcher, IBM X-Force
Michelle Alvarez
Manager, X-Force Strategic Threat Analysis, IBM

More from Software Vulnerabilities
September 26, 2024

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

June 6, 2024

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature