During an outbreak of zero-day attacks, IBM X-Force needs to work fast to assess the threat to inform customers and others of the risk and offer steps to mitigate or resolve the issue. Once the dust settles, though, we like to circle back, review what happened and identify any notable trends.

The attacks launched against the Apache Struts 2 vulnerability (CVE-2017-5638) disclosed in March is a prime example of how quick the black-hat community can leverage zero-day vulnerabilities and set up distributed attack mechanisms. At its peak, according to IBM Managed Security Services (MSS) data, attack activity increased 48 times above the average number of attacks for the time period assessed.

From Zero to 60 in Less Than 24 Hours

Apache Struts 2 is an open source web application framework for developing Java EE applications. On March 6, Apache released security advisory warning about a previously unknown remote code execution (RCE) vulnerability contained within the Jakarta Multipart parser in multiple versions of Apache Struts 2. In less than 24 hours, a Python script was created to take advantage of this weakness, and a Talos report noted “immediate exploitation occurring.”

Visit the X-Force Exchange to Learn More About the Apache Struts 2 Vulnerability

On March 10, IBM X-Force began to see attacks exploiting this vulnerability aimed at monitored clients. These attacks peaked March 23, which coincided with the day Apache released a fix. Although the volume of attack activity subsided considerably within a week of this spike, we are still seeing a persistent volume of activity targeting this vulnerability.

Figure 1: Apache Struts 2 attack metrics (Source: IBM X-Force monitored client data)

Sources and Targets

Our analysis found that almost 50 percent of the attacks originated from China. This is not surprising, since it was reported that the public proof-of-concept code first surfaced on Chinese forums, and Rapid7 reported seeing the first initial attacks from China. Meanwhile, 22 percent of the attacks originated from U.S. The distribution of the top two source countries is similar to what other researchers have reported.

Figure 2: Top sources of where the attacks originated (Source: IBM X-Force monitored client data)

Over 45 percent of all targets were located in the U.S., followed by Australia at 28 percent and the U.K. at 17 percent.

Figure 3: Top locations of the targets of the attack (Source: IBM X-Force monitored client data)

The top attacked industries were education (32 percent), accommodation and food services (23 percent), financial services (23 percent), manufacturing (12 percent) and health care (10 percent).

Organizations in the education sector are often considered easy targets due to a combination of immature patching practices and relaxed monitoring, if any. This combination guaranties relative longevity and persistence of the compromise. However, in general, this was a zero-day campaign. Attackers were focused on finding and exploiting vulnerable targets with little regard for industry.

Figure 4: Top Apache Struts 2 attacked industries (Source: IBM X-Force monitored client data)

Visit the X-Force Exchange to Learn More About the Apache Struts 2 Vulnerability

As Persistent as Shellshock?

As revealed in the 2017 IBM X-Force Threat Intelligence Index, Shellshock attacks, which first surfaced in September 2014, persisted throughout 2016. The vulnerability targeted in these attacks is relatively easy to exploit and unpatched systems are plentiful — and, therefore, worth the attackers’ while.

Will exploitation of this latest Apache Struts 2 vulnerability follow in Shellshock’s footsteps? It’s hard to say. Like the GNU Bash Shell, Apache Struts 2 is widely used. Also, the nature of the vulnerability — code execution — allows attackers to use the compromised machines in wide range of exploitation activities such as distributed denial-of-service (DDoS) botnet attacks and ransomware campaigns.

The combination of publicly available exploit code and lack of appropriate patch management practices across many organizations may perpetuate this threat for the foreseeable future.

Remediating the Apache Struts Vulnerability

So how do you address this issue? Apply the appropriate update for your system. If you are using the Jakarta-based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or You can also switch to a different implementation of the Multipart parser. Failure to apply patches and fixes leaves your organization at risk of attack.

Additional information can be found on IBM X-Force Exchange.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read