A new critical Apache Struts vulnerability is being actively exploited in the wild, despite being patched.
The flaw, CVE-2017-5638, is a remote code execution vulnerability in the Jakarta Multipart parser that is caused by the misuse of Content-Type header values. Apache Struts is an open source framework used to build Java web applications, so the effects are widespread.
The Apache Struts vulnerability was initially published and patched on March 6, but reports of exploits in the wild continue to emerge.
Security researchers at Cisco Talos have been tracking the Apache Struts vulnerability and some of its exploits, and they found that attackers are either doing simple probing, like #cmd='whoami' or ifconfig, or downloading malicious payloads.
However, Tom Sellers, threat analysis and security researcher at Boston-based Rapid7, said probing may not be so simple.
"In the context of this vulnerability ... we'd strongly caution that these 'harmless commands' are in fact working to determine if a target is vulnerable," Sellers said. "It's well within the realm of possibility that we're watching attackers work to understand the number of vulnerable hosts on the public internet as an information-gathering effort that is part of preparation for a later attack."
The blog post from Cisco Talos examines a few specific examples of the different exploits for the Apache Struts vulnerability, including the probing for the right vulnerable account -- think root -- as well as the more sophisticated attacks that download malicious payloads to spread malware.
"The payloads being delivered vary considerably, and to their credit, many of the sites have already been taken down and the payloads are no longer available," wrote Nick Biasini, an outreach engineer for Cisco Talos.
He went on to indicate that there doesn't seem to be an end in sight for the exploits of the Apache Struts vulnerability. "It is likely that the exploitation will continue in a wide scale since it is relatively trivial to exploit and there are clearly systems that are potentially vulnerable," Biasini wrote.
The only thing Apache Struts users can do to mitigate the threat is to immediately upgrade to a version that's not vulnerable -- either 2.3.32, 184.108.40.206 or later.
In other news:
- WikiLeaks founder Julian Assange reportedly contacted Microsoft after vowing last week to follow responsible disclosure procedures with the Vault 7 CIA hacking tools. Assange said he and the WikiLeaks team would "disarm" the CIA hacking tools before releasing specifics on them, giving vendors and developers a chance to issue fixes and potentially suffer less damage. The Register reported on March 13 that a Microsoft spokesperson confirmed that WikiLeaks "made initial contact" with the company. There's no word yet on whether Assange or WikiLeaks has reached out to Apple or Google.
- Thousands of U.S. Air Force documents containing highly sensitive personnel information on high-ranking officers have been exposed. According to MacKeeper security researchers, the leak came from a misconfigured device that contained backup data. The device reportedly belongs to a lieutenant in the Air Force who didn't realize it was unsecured. Information exposed by the leak included personnel by eligibility and access reports that contained several hundred service members' names, ranks and social security numbers. Another document discovered had a list of open investigations into military personnel -- such as claims of discrimination and sexual harassment -- and included the names, ranks, locations and descriptions of the accusations. As ZDNet reported, the information in this data leak is a "holy grail" for spies and enemies of the United States.
- End-to-end encryption messaging apps WhatsApp and Telegram patched vulnerabilities that allowed attackers to take control of hundreds of millions of user accounts. Researchers at Check Point Software Technologies publicly disclosed the vulnerability on March 15 after informing WhatsApp and Telegram on March 7; both companies had patched the vulnerabilities within a day. There is no evidence that either vulnerability was exploited in the wild. "This vulnerability, if exploited, would have allowed attackers to completely take over users' accounts on any browser, and access victims' personal and group conversations, photos, videos and other shared files, contact lists, and more," Check Point researchers wrote. "This means that attackers could potentially download your photos and or post them online, send messages on your behalf, demand ransom, and even take over your friends' accounts."
- On the first day of the 10th annual Pwn2Own hacking competition, participants were able to hack Microsoft Edge, Apple's Safari, Ubuntu and Adobe Reader. The competition, which is sponsored by security vendor TippingPoint and takes place at the CanSecWest security conference in Canada, offered a pool of $1 million for exploits uncovered by participating security researchers. Adobe Reader was cracked by two different groups, as was Safari. One of the same teams to crack Safari also hacked Ubuntu. The team from Tencent Security, which hacked Adobe Reader and Microsoft Edge, earned the highest reward for the competition at $80,000.
Read more about the widespread effects of the Struts vulnerability
Learn about other recent WhatsApp security issues