Apache Struts 2: A Zero-Day Quick Draw
During an outbreak of zero-day attacks, IBM X-Force needs to work fast to assess the threat to inform customers and others of the risk and offer steps to mitigate or resolve the issue. Once the dust settles, though, we like to circle back, review what happened and identify any notable trends.
The attacks launched against the Apache Struts 2 vulnerability (CVE-2017-5638) disclosed in March is a prime example of how quick the black-hat community can leverage zero-day vulnerabilities and set up distributed attack mechanisms. At its peak, according to IBM Managed Security Services (MSS) data, attack activity increased 48 times above the average number of attacks for the time period assessed.
From Zero to 60 in Less Than 24 Hours
Apache Struts 2 is an open source web application framework for developing Java EE applications. On March 6, Apache released security advisory warning about a previously unknown remote code execution (RCE) vulnerability contained within the Jakarta Multipart parser in multiple versions of Apache Struts 2. In less than 24 hours, a Python script was created to take advantage of this weakness, and a Talos report noted “immediate exploitation occurring.”
On March 10, IBM X-Force began to see attacks exploiting this vulnerability aimed at monitored clients. These attacks peaked March 23, which coincided with the day Apache released a fix. Although the volume of attack activity subsided considerably within a week of this spike, we are still seeing a persistent volume of activity targeting this vulnerability.
Figure 1: Apache Struts 2 attack metrics (Source: IBM X-Force monitored client data)
Sources and Targets
Our analysis found that almost 50 percent of the attacks originated from China. This is not surprising, since it was reported that the public proof-of-concept code first surfaced on Chinese forums, and Rapid7 reported seeing the first initial attacks from China. Meanwhile, 22 percent of the attacks originated from U.S. The distribution of the top two source countries is similar to what other researchers have reported.
Figure 2: Top sources of where the attacks originated (Source: IBM X-Force monitored client data)
Over 45 percent of all targets were located in the U.S., followed by Australia at 28 percent and the U.K. at 17 percent.
Figure 3: Top locations of the targets of the attack (Source: IBM X-Force monitored client data)
The top attacked industries were education (32 percent), accommodation and food services (23 percent), financial services (23 percent), manufacturing (12 percent) and health care (10 percent).
Organizations in the education sector are often considered easy targets due to a combination of immature patching practices and relaxed monitoring, if any. This combination guaranties relative longevity and persistence of the compromise. However, in general, this was a zero-day campaign. Attackers were focused on finding and exploiting vulnerable targets with little regard for industry.
Figure 4: Top Apache Struts 2 attacked industries (Source: IBM X-Force monitored client data)
As Persistent as Shellshock?
As revealed in the 2017 IBM X-Force Threat Intelligence Index, Shellshock attacks, which first surfaced in September 2014, persisted throughout 2016. The vulnerability targeted in these attacks is relatively easy to exploit and unpatched systems are plentiful — and, therefore, worth the attackers’ while.
Will exploitation of this latest Apache Struts 2 vulnerability follow in Shellshock’s footsteps? It’s hard to say. Like the GNU Bash Shell, Apache Struts 2 is widely used. Also, the nature of the vulnerability — code execution — allows attackers to use the compromised machines in wide range of exploitation activities such as distributed denial-of-service (DDoS) botnet attacks and ransomware campaigns.
The combination of publicly available exploit code and lack of appropriate patch management practices across many organizations may perpetuate this threat for the foreseeable future.
Remediating the Apache Struts Vulnerability
So how do you address this issue? Apply the appropriate update for your system. If you are using the Jakarta-based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 126.96.36.199. You can also switch to a different implementation of the Multipart parser. Failure to apply patches and fixes leaves your organization at risk of attack.
Additional information can be found on IBM X-Force Exchange.