Patched Apache Struts Under Attack

Friday, April 7, 2017 @ 05:04 PM gHale

A patched Apache Struts 2 vulnerability is now undergoing exploitation to deliver Cerber ransomware to Windows systems, researchers said.

Attackers can leverage the flaw, tracked as CVE-2017-5638, for remote code execution.

Cisco Suffers from Apache Struts2 Hole
Android Ransomware Delays, Confuses AV
More Ransomware Decryption Tools Available
Ransomware Avoids Machine Learning

Bad guys started exploiting the vulnerability to deliver malware shortly after a patch was available and proof-of-concept (PoC) exploit released.

For the most part attackers targeted Unix systems with backdoors and distributed denial-of-service (DDoS) bots, but lately researchers also spotted a campaign targeting Windows machines.

At the end of March, researchers at F5 Networks started seeing attacks delivering Cerber ransomware to Windows servers. Researchers at the SANS Technology Institute also reported seeing these attacks on Wednesday.

Attackers used the exploit to execute shell commands and run BITSAdmin and other command-line tools shipped with Windows. These tools end up used to download and execute the ransomware.

The ransomware encrypts important files found on the system and demands money in return for the “special decryption software” needed to recover the files.

The Bitcoin address where victims end up told to send the ransom is the same across multiple campaigns. F5 Networks reported seeing 84 bitcoins, currently worth nearly $100,000, in that address.

Leave a Reply

You must be logged in to post a comment.