Attackers are attempting to exploit the recent Apache Struts vulnerability on Windows servers and the payload is a variant of the Cerber ransomware.
The SANS Internet Storm Center on Thursday said it has seen numerous attempts during the past month to exploit the vulnerability in this way. The flaw was disclosed March 6 and patched in short order one day later.
Johannes Ullrich, dean of research, told Threatpost that the SANS honeypot received 300 hits for the Cerber infection in the last four days, and 5,000 other Struts2 exploit attempts.
“So it is a significant number, but most of the struts exploits are just testing if the system is vulnerable,” Ullrich said, adding that all 300 attacks came from Chinese IP 122[.]225[.]98[.]178, and tried to install the same Cerber binary from a 1and1 domain 82[.]165[.]129[.]119, which is still active.
“They have been notified of the issue but so far, they have not acted,” Ullrich said.
The issue is in the Jakarta Multipart parser that comes with Apache Struts 2. An attacker can trivially exploit the vulnerability to gain remote code execution by sending a HTTP request that contains a crafted Content-Type value. The vulnerable software will throw an exception in such cases, and as it prepares the error message for display, a malicious Content Type value would be executed instead of displayed.
Most public scans and attacks against the vulnerability have been limited to a number of Linux bots used for DDoS attacks. Researchers were concerned about longterm effects caused by this vulnerability, which was being publicly exploited before it was disclosed, especially once a Metasploit module was made available. Admins were advised to upgrade immediately to Struts 2.3.32 or 126.96.36.199.
The SANS ISC shared an exploit on Thursday and said the attack script uses BTISAdmin to download the exploit from an attacker-controlled URL. It also said the malware samples it saw were called UnInstall.exe and were shared in the Windows %TEMP% directory. VirusTotal coverage was 24 out of 61, SANS said.
Cerber has been in circulation for more than a year, and like most crypto-ransomware families, it has been spread by exploit kits, spam campaigns, and the same botnet used by the Dridex financial malware. Recently, versions of Cerber and Locky ransomware were focusing on stealth and avoiding detection by hiding inside NSIS installers.
In exploits against the Apache Struts 2 vulnerability, the SANS Institute said payment instructions are included in an unencrypted README file. Victims are told to download Tor and follow a link to remit payment using Bitcoin.
“The malware reaches out to btc.blockr.io to retrieve a bitcoin wallet address for the money transfer,” the SANS ISC advisory says. “Encrypted files are renamed using random (encrypted) file names.”
The Struts 2 vulnerability is particularly risky for Apache webservers running as root, which is not a recommended practice. Attackers have been scanning for vulnerable deployments since the issue was made public, and it’s unknown whether these scans are benign, experts said. An attack would look like a webserver request, and it would include a malformed content type.
“Unfortunately, due to the nature of command-line injections like this, it’s very easy to modify,” Cisco Talos researcher Craig Williams told Threatpost in March. “And that’s why I think we’re going to continue to see exploitation rise for the foreseeable future.”
Williams said an attacker could use the access afforded by a successful exploit to move laterally on a network and if they’re able to access a domain controller, for example, malware could be pushed to any computer inside an organization.
“The sky’s the limit,” Williams said.