Apache Struts 2: A Zero-Day Quick Draw

During an outbreak of zero-day attacks, IBM X-Force needs to work fast to assess the threat to inform customers and others of the risk and offer steps to mitigate or resolve the issue. Once the dust settles, though, we like to circle back, review what happened and identify any notable trends.

The attacks launched against the Apache Struts 2 vulnerability (CVE-2017-5638) disclosed in March is a prime example of how quick the black-hat community can leverage zero-day vulnerabilities and set up distributed attack mechanisms. At its peak, according to IBM Managed Security Services (MSS) data, attack activity increased 48 times above the average number of attacks for the time period assessed.

From Zero to 60 in Less Than 24 Hours

Apache Struts 2 is an open source web application framework for developing Java EE applications. On March 6, Apache released security advisory warning about a previously unknown remote code execution (RCE) vulnerability contained within the Jakarta Multipart parser in multiple versions of Apache Struts 2. In less than 24 hours, a Python script was created to take advantage of this weakness, and a Talos report noted “immediate exploitation occurring.”

Visit the X-Force Exchange to Learn More About the Apache Struts 2 Vulnerability

On March 10, IBM X-Force began to see attacks exploiting this vulnerability aimed at monitored clients. These attacks peaked March 23, which coincided with the day Apache released a fix. Although the volume of attack activity subsided considerably within a week of this spike, we are still seeing a persistent volume of activity targeting this vulnerability.

Apache Struts 2 blog graphFigure 1: Apache Struts 2 attack metrics (Source: IBM X-Force monitored client data)

Sources and Targets

Our analysis found that almost 50 percent of the attacks originated from China. This is not surprising, since it was reported that the public proof-of-concept code first surfaced on Chinese forums, and Rapid7 reported seeing the first initial attacks from China. Meanwhile, 22 percent of the attacks originated from U.S. The distribution of the top two source countries is similar to what other researchers have reported.

Apache Struts 2 blog graphFigure 2: Top sources of where the attacks originated (Source: IBM X-Force monitored client data)

Over 45 percent of all targets were located in the U.S., followed by Australia at 28 percent and the U.K. at 17 percent.

Apache Struts 2 blog graphFigure 3: Top locations of the targets of the attack (Source: IBM X-Force monitored client data)

The top attacked industries were education (32 percent), accommodation and food services (23 percent), financial services (23 percent), manufacturing (12 percent) and health care (10 percent).

Organizations in the education sector are often considered easy targets due to a combination of immature patching practices and relaxed monitoring, if any. This combination guaranties relative longevity and persistence of the compromise. However, in general, this was a zero-day campaign. Attackers were focused on finding and exploiting vulnerable targets with little regard for industry.

Apache Struts 2 blog graphFigure 4: Top Apache Struts 2 attacked industries (Source: IBM X-Force monitored client data)

Visit the X-Force Exchange to Learn More About the Apache Struts 2 Vulnerability

As Persistent as Shellshock?

As revealed in the 2017 IBM X-Force Threat Intelligence Index, Shellshock attacks, which first surfaced in September 2014, persisted throughout 2016. The vulnerability targeted in these attacks is relatively easy to exploit and unpatched systems are plentiful — and, therefore, worth the attackers’ while.

Will exploitation of this latest Apache Struts 2 vulnerability follow in Shellshock’s footsteps? It’s hard to say. Like the GNU Bash Shell, Apache Struts 2 is widely used. Also, the nature of the vulnerability — code execution — allows attackers to use the compromised machines in wide range of exploitation activities such as distributed denial-of-service (DDoS) botnet attacks and ransomware campaigns.

The combination of publicly available exploit code and lack of appropriate patch management practices across many organizations may perpetuate this threat for the foreseeable future.

Remediating the Apache Struts Vulnerability

So how do you address this issue? Apply the appropriate update for your system. If you are using the Jakarta-based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different implementation of the Multipart parser. Failure to apply patches and fixes leaves your organization at risk of attack.

Additional information can be found on IBM X-Force Exchange.

Share this Article:
Dave McMillen

Senior Threat Researcher, IBM Managed Security Services

Dave brings over 25 years of network security knowledge to IBM. Dave began his career in IBM over 15 years ago where he was part of a core team of six IBMers that created the IBM Emergency Response Service which eventually grew and evolved into Internet Security Systems. As an industry-recognized security expert and thought leader, Dave's background in security is full featured. Dave thrives on identifying threats and developing methods to solve complex problems. His specialties are intrusion detection/prevention, ethical hacking, forensics and analysis of malware and advanced threats. As a member of the IBM MSS Threat Research Team, Dave takes the intelligence he has gathered and turns out immediate tangible remedies that can be implemented within a customer’s network or on IBM MSS's own proprietary detection engines. Dave became interested in security back in the late 1980's and owned and operated a company that provided penetration and vulnerability testing service, one of the first of its kind. As the internet's footprint began to grow, it became clear to him there was a new problem on the horizon; protecting data. Dave worked with WheelGroup (later acquired by Cisco) where he helped develop NetRanger IDS and NetSonar. Dave also assisted with development of the very first IBM intrusion detection system, BillyGoat. Dave also has developed several other security based methods and systems which were patented for IBM.