Endpoint attacks can come from any direction and many sources. Just consider the reported vulnerabilities found in Apache Struts and the damage caused by WannaCry and Petya. Companies need to stay one step ahead of endpoint attacks, but they struggle due to a lack of visibility of endpoint status, the complexity of investigations and ineffective remediation.

Let’s consider the Apache Struts vulnerability in more detail. Some versions of the Apache Struts web application development framework allow attackers to execute arbitrary code in the context of the affected application. See the related S2-052 Apache Security Bulletin and the IBM X-Force Exchange security alerts page for more technical details on how the vulnerability can be exploited, what version of Apache Struts is affected and the best-recommended remediation actions to take.

Register for the Sept. 27 webinar: 3 Tips for Effective Endpoint Security

How Do You Know If Your Endpoints Are Susceptible?

What if you’re vulnerable and you don’t even know it? Security and IT organizations must be able to see, understand and act on endpoint threats fast. In the case of Apache Struts, you must be able to quickly identify every computer where there could be applications exploiting Apache Struts and determine which versions of the framework are installed on which servers or computer endpoint devices. But how do you know if you’ve already been impacted by a security vulnerability? Where do you begin?

Because the Apache Struts runtime library is not deployed in a dedicated directory or file system path, the malicious, arbitrary code may be located anywhere within the file system. As a result, you must first scan the entire file system on every endpoint, including Apache development environments, to determine whether the rogue executable file exists.

Mitigating Endpoint Attacks

Once you know which servers are affected, you need to take the actions suggested by the security bulletins to remediate the vulnerability, such as but not limited to updating software on all the affected endpoints. This includes updating Apache and other applications that leverage the Apache Struts runtime library. These applications must then be recompiled and redeployed. You may not be able to shut down or quarantine the entire server if it is running other critical applications that are not affected by this vulnerability. The IT security and operations teams need to decide how to best remediate based on which servers are affected within their environments.

According to Forrester Research, “Endpoint security represents the front line in your fight against cyberattackers. Breaches have become commonplace among enterprises, and your employee endpoints and servers are targeted more than any other type of asset.” Solutions such as IBM BigFix can help IT security and operations teams put in place the required remediation actions based on the organization’s environment and risk mitigation assessments.

With the ability to clearly see the status of all endpoints across the enterprise and use guided investigations to understand both the scope of an attack and the specific remediation steps needed to contain the threat, security teams can act quickly and decisively to protect valuable assets and reduce the organization’s attack surface.

Read the white paper: Transforming endpoint security — Going far beyond attack detection

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…