NetFort Advertising

Detect Hosts Targeting Apache Struts Vulnerability CVE-2018-11776

Apache Struts Vulnerability

What is Apache Struts and vulnerability CVE-2018-11776

Apache Struts is a free and open-source framework used to build Java web applications. On Wednesday, August 22, 2018, the Apache Foundation released a security bulletin for a critical vulnerability in the Apache Struts framework. Applications developed using Apache Struts are potentially vulnerable.

The vulnerability (CVE-2018-11776) was identified and reported by Man Yue Mo from the Semmle Security Research Team, which works to find and report critical vulnerabilities in widely used open source software. This is not the first remote code execution vulnerability discovered on Apache Struts. Previously the framework was targeted with vulnerabilities CVE-2017-9793, CVE-2017-9804, and CVE-2017-9805

Cryptocurrency miners have begun using these vulnerabilities to compromise servers to mine the Monero digital currency. Tools such as Apache Struts Version 3 can also be used to exploit vulnerabilities on ApacheStruts. The reality is that unpatched Apache Struts installations can leave organizations open to significant risks.

How to detect if attackers are targeting the CVE-2018-11776 vulnerability on your network

When in comes to monitoring, there are certain packet payloads and DNS requests that you should watch out for. Suspicious payloads can be detected by using an Intrusion Detection System (IDS) and DNS lookups can be tracked down by using a traffic analysis application like our own LANGuardian.

There are two IDS signatures in our current LANGuardian ruleset which focus on the Apache Struts Vulnerability CVE-2018-11776:

  • ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M1′  sid 2026025
  • ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M2′  sid 2026026

Constant monitoring of DNS queries is a good way to keep an inventory of what types of services clients on your network are trying to connect to. At the moment attackers who are successfully exploiting Apache Struts deployments via CVE-2018-11776 are using them to mine Cryptocurrency. One of the indicators of this is any DNS lookups to the domain:

  • us-east.cryptonight-hub.miningpoolhub.com

Running LANGuardian reports associated with CVE-2018-1177

DNS Lookups

  1. Enter DNS lookups into the LANGuardian search bar
  2. Select the report Security :: DNS Lookups Associated with Malware Domains by User
  3. Enter us-east.cryptonight-hub.miningpoolhub.com into the Host Name report filter
  4. Select a time period and run report
  5. Save as custom report if necessary by clicking on Actions / Save As
CVE-2018-11776 DNS Lookup

IDS Signatures

  1. Enter All Events into the LANGuardian search bar
  2. Select the report All Events :: Events by Signature
  3. Enter CVE-2018-11776 into the Signature Name report filter
  4. Select a time period and run report
  5. Save as custom report if necessary by clicking on Actions / Save As
CVE-2018-11776 Snort IDS events

Conclusion

The Apache Struts framework continues to be targeted by attackers due to a steady stream of vulnerabilities. It is important that organizations remain diligent, ensuring this software is updated quickly when new patches are released or otherwise limiting external access to websites leveraging it.

Although the main payload for Apache Struts exploits at the moment appears to be cryptocurrency miners, failure to patch also leaves an organization open to significant risk that goes beyond cryptomining.

Make sure you monitor network traffic going to and from any Apache servers that you host on your network. This is especially true of the servers that can be accessed by external hosts. Also, make sure that your traffic monitoring application is updated with the latest IDS or DNS malware lists so that you can quickly spot problems.