Apache Struts 2 Vulnerability (CVE-2018-11776) Exploited in CroniX Crypto-Mining Campaign

2024 Cybersecurity Predictions


Just two weeks ago a new Apache Struts 2 critical remote code execution vulnerability was published,1 and F5 researchers have already detected known threat actors exploiting it in a new crypto-mining campaign:

Several proof-of-concept exploits were published on Github2 and Twitter a few days after the vulnerability was responsibly disclosed by Semmle, and the current threat actor seems to have quickly adopted one of these exploits in its arsenal.

Recall that just a year and a half ago, Equifax was hit with another vulnerability on its Apache Struts 2 servers (CVE-2017-5638). That attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers and has (so far) cost the company over $439 million.3

Attack Analysis

As with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances. This time, the injection point is within the URL.

The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.



Source link
lol

Just two weeks ago a new Apache Struts 2 critical remote code execution vulnerability was published,1 and F5 researchers have already detected known threat actors exploiting it in a new crypto-mining campaign: CVE-2018-11776 Apache Struts 2 namespace vulnerability allows unauthenticated remote code execution. In this Monero crypto-mining campaign, the injection point is within the URL.…

Leave a Reply

Your email address will not be published. Required fields are marked *