Apache Struts vulnerability CVE-2018-11776 has been used to deploy cryptocurrency miners
On August 22, the Apache Software Foundation released a security bulletin on a critical vulnerability in the Apache Struts open source web application framework. The announcement pointed out that a vulnerability identified as CVE-2018-11776 could allow remote code execution if successfully exploited. Only one day later, August 23, 2018, a researcher with a Github ID of “jas502n” released a proof of concept (PoC) exploit code for this vulnerability. On August 24, 2018, a Github ID “pr4jwal” researcher also released a Python script that could exploit the vulnerability.
Security incident handling company Volexity pointed out in a blog post on Monday (August 27th) that shortly after the PoC code was released, they observed active scanning behaviour for vulnerable systems and attempts to exploit the vulnerability. Volexity also said that all of the observed attacks so far have been based on publicly released PoC code. Also, at least one attacker attempted to use the CVE-2018-11776 vulnerability to install CNRig cryptocurrency miners, while the initial observations were from 95.161.225.94 and 167.114.171.27, both from Russia and Canada.
Over the past 24 hours GreyNoise has observed three (3) additional distinct hosts (202.189.2.94, 182.23.83.30, 95.161.225.94) crawl the Internet to test for this vulnerability as well, all using the same tooling. This indicates that these hosts are likely part of the same botnet pic.twitter.com/K7tg6mxDEs
— GreyNoise (@GreyNoiseIO) August 28, 2018
If the exploit is successful, the vulnerable system will perform a wget request on the two URLs listed below to download a copy of CNRig Miner from Github (saved as xrig) and a shell script from BitBucket (upcheck.sh) )
Hxxps://github.com/cnrig/cnrig/releases/download/v0.1.5-release/cnrig-0.1.5-linux-x86_64
Hxxps://bitbucket.org/c646/zz/downloads/upcheck.sh
The three ELF binaries downloaded are cryptocurrency miner executables for the Intel, ARM, and MIPS architectures. It is worth noting that this indicates that the miner can run on a variety of hardware, such as servers, desktops, laptops, IoT devices and wireless routers. In other words, it works for almost all networked devices running vulnerable Apache Struts instances.
The downloads folder under the BitBucket account hosting this script appears to be an open directory. Navigate to this page to see the script and the other ELF binaries referenced above:
Image: volexity
If the exploit is successful, the cryptocurrency mining activity will begin, which involves the mining pool us-east.cryptonight-hub.miningpoolhub.com on TCP port 20580 and the user account c646.miner. It is worth noting that the mining pool account name is the same as the attacker’s BitBucket account name. Volexity also pointed out that the binary files downloaded from the BitBucket repository contain the string “Follow the white rabbit”.
The Apache Struts framework is used worldwide, including 65% of Fortune 100 companies, such as multinational mobile phone operator Vodafone and American aerospace manufacturer Lockheed Martin. Lockheed Martin) and Virgin Atlantic, also include the US Internal Revenue Service (IRS).
In any case, the Apache Software Foundation has fixed this vulnerability by releasing Struts versions 2.3.35 and 2.5.17, so we strongly recommend that companies and developers using Apache Struts upgrade their versions as soon as possible.