Light Dark
May 16, 2017 By Dave McMillen
Michelle Alvarez
4 min read
Software Vulnerabilities
Advanced Threats
Threat Intelligence

During an outbreak of zero-day attacks, IBM X-Force needs to work fast to assess the threat to inform customers and others of the risk and offer steps to mitigate or resolve the issue. Once the dust settles, though, we like to circle back, review what happened and identify any notable trends.

The attacks launched against the Apache Struts 2 vulnerability (CVE-2017-5638) disclosed in March is a prime example of how quick the black-hat community can leverage zero-day vulnerabilities and set up distributed attack mechanisms. At its peak, according to IBM Managed Security Services (MSS) data, attack activity increased 48 times above the average number of attacks for the time period assessed.

From Zero to 60 in Less Than 24 Hours

Apache Struts 2 is an open source web application framework for developing Java EE applications. On March 6, Apache released security advisory warning about a previously unknown remote code execution (RCE) vulnerability contained within the Jakarta Multipart parser in multiple versions of Apache Struts 2. In less than 24 hours, a Python script was created to take advantage of this weakness, and a Talos report noted “immediate exploitation occurring.”

Visit the X-Force Exchange to Learn More About the Apache Struts 2 Vulnerability

On March 10, IBM X-Force began to see attacks exploiting this vulnerability aimed at monitored clients. These attacks peaked March 23, which coincided with the day Apache released a fix. Although the volume of attack activity subsided considerably within a week of this spike, we are still seeing a persistent volume of activity targeting this vulnerability.

Figure 1: Apache Struts 2 attack metrics (Source: IBM X-Force monitored client data)

Sources and Targets

Our analysis found that almost 50 percent of the attacks originated from China. This is not surprising, since it was reported that the public proof-of-concept code first surfaced on Chinese forums, and Rapid7 reported seeing the first initial attacks from China. Meanwhile, 22 percent of the attacks originated from U.S. The distribution of the top two source countries is similar to what other researchers have reported.

Figure 2: Top sources of where the attacks originated (Source: IBM X-Force monitored client data)

Over 45 percent of all targets were located in the U.S., followed by Australia at 28 percent and the U.K. at 17 percent.

Figure 3: Top locations of the targets of the attack (Source: IBM X-Force monitored client data)

The top attacked industries were education (32 percent), accommodation and food services (23 percent), financial services (23 percent), manufacturing (12 percent) and health care (10 percent).

Organizations in the education sector are often considered easy targets due to a combination of immature patching practices and relaxed monitoring, if any. This combination guaranties relative longevity and persistence of the compromise. However, in general, this was a zero-day campaign. Attackers were focused on finding and exploiting vulnerable targets with little regard for industry.

Figure 4: Top Apache Struts 2 attacked industries (Source: IBM X-Force monitored client data)

Visit the X-Force Exchange to Learn More About the Apache Struts 2 Vulnerability

As Persistent as Shellshock?

As revealed in the 2017 IBM X-Force Threat Intelligence Index, Shellshock attacks, which first surfaced in September 2014, persisted throughout 2016. The vulnerability targeted in these attacks is relatively easy to exploit and unpatched systems are plentiful — and, therefore, worth the attackers’ while.

Will exploitation of this latest Apache Struts 2 vulnerability follow in Shellshock’s footsteps? It’s hard to say. Like the GNU Bash Shell, Apache Struts 2 is widely used. Also, the nature of the vulnerability — code execution — allows attackers to use the compromised machines in wide range of exploitation activities such as distributed denial-of-service (DDoS) botnet attacks and ransomware campaigns.

The combination of publicly available exploit code and lack of appropriate patch management practices across many organizations may perpetuate this threat for the foreseeable future.

Remediating the Apache Struts Vulnerability

So how do you address this issue? Apply the appropriate update for your system. If you are using the Jakarta-based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different implementation of the Multipart parser. Failure to apply patches and fixes leaves your organization at risk of attack.

Additional information can be found on IBM X-Force Exchange.

 |  |  |  |  |  | 
Dave McMillen
Senior Threat Researcher, IBM X-Force
Michelle Alvarez
Manager, X-Force Strategic Threat Analysis, IBM

More from Software Vulnerabilities
August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 2, 2023

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

March 30, 2023

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature