a-PATCH-e: Struts Vulnerabilities Run Rampant

by Steve Povolny

Equifax confirmed the attack vector used in its data breach to be CVE-2017-5638, a vulnerability patched last March 2017 via S2-045. The vulnerability was exploited to gain unauthorized access to highly sensitive data of approximately 143 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers. This vulnerability was first disclosed in March, almost immediately followed by publicly available POCs, weaponized exploits, and scanners produced by third parties.

Trend Micro observed thousands of filter events via our intrusion prevention solutions against the filters for this vulnerability since March, and these exploits or enumeration attempts are still being seen. It’s worth noting that these solutions can leverage these filters to provide a highly effective virtual patch to address critical Apache Struts vulnerabilities until actual software updates are deployed to secure the system.

We’ve observed the filter events against this vulnerability from a large number of countries, with the majority of events sourced from regions below:

Figure 1: Graphical representation of top source countries of attackers for CVE-2017-5638

Trend Micro has also actively blocked and thwarted attacks and enumeration attempts against organizations across various industries, including universities in the U.S., Europe and South America, healthcare, internet service, and telecommunications providers, automotive manufacturers, banks and other financial institutions.

Apache Struts Vulnerabilities are Actively Exploited
The following image is an example of an exploit attempting to leverage the vulnerability used to breach Equifax:

Figure 2: Screenshot of exploitation attempt against CVE-2017-5638

On July 11, we released a filter for the vulnerability techniques observed in another critical Apache Struts application (identified as CVE-2017-9791, patched in July via S2-048). Several weeks ago, a spate of Apache Struts vulnerabilities was published, including CVE-2017-12611 (patched September 9 via S2-053). We quickly located all public exploits surrounding the vulnerability and tested them against our Digital Vaccine filters. They didn’t just block all versions of this exploit with no updates needed; digging deeper, we found these filters have already been blocking intrusion attempts for nearly two months. The diagrams below highlight the timeline of events we observed in relation to the exploit code’s availability.

Figure 3: Timeline of intrusion attempts we observed exploiting CVE-2017-5683 (click to enlarge)

Figure 4: Timeline of attack attempts we observed exploiting CVE-2017-12611, based on existing filter coverage released last July for CVE-2017-9791; note that the figure is based on 5% of total customer activity (click to enlarge)

The types of attacks we have observed have been a combination of targeted or non-targeted intrusion attempts as well as automated enumeration scans for fingerprinting vulnerable servers. Below is a screenshot of an enumeration attempt using the non-intrusive ECHO command, which can be used to inform the attacker if the targeted machine is vulnerable.

Figure 5: Code snippet (highlighted) showing the ECHO command

A Lesson on Patching
A vulnerable framework can cause significant damage regardless of the kind or type of flaw, and it can affect things beyond a company’s bottom line and reputation. At stake are also the privacy and security of personally identifiable data, which can have long-term, real-life repercussions when compromised—not to mention the risk to the integrity of the infrastructure from which the information changes hands.

The takeaway? A single, vulnerable machine on a network is sometimes all it takes to affect millions. Implement defense in depth. Apply more robust patch management policies, but strike a balance between your business needs and the importance of securing your assets and data. Some best practices include:

  • Patching your systems and servers as well as the applications that run on them
  • Deploying vulnerability-driven filters to provide a wider net of protection to the network, system or server
  • Considering virtual patching to address unidentified vulnerabilities or platforms for which patches aren’t directly available
  • Enforcing the principle of least privilege, avoiding or minimizing the use of third-party applications, and disabling unnecessary components to limit your attack surface
  • Proactively monitoring your network, i.e., employing firewalls as well as intrusion detection and prevention systems
  • Backing up your files and implementing defensive measures such as data categorization and network segmentation


Trend Micro Solutions
Trend MicroTippingPoint™ provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via DigitalVaccine™ filters. Trend Micro™ Deep Security™ and Vulnerability Protection also provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications such as Apache Struts. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit Struts vulnerabilities even without an engine or pattern update.

Here are the links to the list of Trend Micro protections against these Apache Struts vulnerabilities: CVE-2017-5638, CVE-2017-9791, and CVE-2017-9805.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

a-PATCH-e: Struts Vulnerabilities Run Rampant

Read more: a-PATCH-e: Struts Vulnerabilities Run Rampant

Story added 21. September 2017, content source with full text you can find at link above.