Attackers are continuing to seek out and exploit vulnerable servers running vulnerable versions of the Apache Struts framework, with hundreds of separate sources trying to take advantage of the bug.
The vulnerability lies in the way that some versions of the Struts framework handles some content-type values. An attacker who is able to exploit the vulnerability would be able to execute arbitrary code under some circumstances. Researchers said the vulnerability is simple to exploit.
“Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution,” Nick Biasini from the Cisco Talos team said in a post analyzing the exploits.
Attackers jumped on the vulnerability right after the advisory was published, and the existence of public exploit code only made things worse. Now, researchers say that a substantial number of attackers are continuing to target vulnerable servers.
“Starting last Thursday (March 9, 2017), we have seen a high number of attackers trying to exploit this vulnerability. Different payloads have been observed,” Jaime Blasco of AlienVault said in a post on the attacks.
“As of today, using the telemetry we received from the AlienVault Open Threat Exchange (OTX), we have identified more than 400 unique sources that are attempting to exploit this vulnerability.”
The vulnerability has been present in some versions of Struts for several years and attackers have been exploiting it with various different techniques and installing malware on compromised servers. Apache issued a patch for the vulnerability earlier this month and has encouraged users to upgrade to the fixed versions, 2.3.32 or 188.8.131.52.
Image: Rich Bowen, CC By license.