Menu
Apache Struts 2 exploit used to install ransomware on servers

Apache Struts 2 exploit used to install ransomware on servers

Attackers exploit a Struts vulnerability patched in March to install the Cerber ransomware on Windows servers

IDG

IDG

Attackers are exploiting a vulnerability patched last month in the Apache Struts web development framework to install ransomware on servers.

The SANS Internet Storm Center issued an alert Thursday, saying an attack campaign is compromising Windows servers through a vulnerability tracked as CVE-2017-5638.

The flaw is located in the Jakarta Multipart parser in Apache Struts 2 and allows attackers to execute system commands with the privileges of the user running the web server process.

This vulnerability was patched on March 6 in Struts versions 2.3.32 and 2.5.10.1. Attackers started exploiting the flaw almost immediately, leaving very little time for server administrators to deploy the update.

While the initial attack campaigns deployed simple backdoors and Unix bots, the latest attacks seen by researchers from SANS is deploying a potentially much more damaging malware: the Cerber ransomware program.

Cerber appeared over a year ago and has had time to mature. It is well developed and its encryption implementation has no known flaws that could allow the free recovery of files.

Struts is widely used for application development in enterprise environments and this is not the first time when server enterprise server software has been exploited to install ransomware. Last year, attackers took advantage of a vulnerability in the JBoss application server in a similar manner.

Server administrators who haven't updated their Struts deployments should do so as soon as possible. Also, since this vulnerability allows command execution with the privileges of the user running the application, so its good to run the process from unprivileged accounts.

Furthermore, application whitelisting policies can be used on Windows servers to limit which applications unprivileged users can execute, blocking the ability of attackers to execute ransomware or other malicious programs.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Reseller News Innovation Awards 2018: meet the top performing partners

Reseller News Innovation Awards 2018: meet the top performing partners

Reseller News honoured the industry’s finest on a standout evening for the New Zealand channel, recognising the achievements of established partners, emerging players and innovative start-ups, in front of over 460 technology leaders in Auckland.

Reseller News Innovation Awards 2018: meet the top performing partners
Champagne Reception kicks off Reseller News Innovation Awards 2018

Champagne Reception kicks off Reseller News Innovation Awards 2018

More than 460 channel leaders came together to toast the top performers of the New Zealand industry, during the opening Champagne Reception at the Reseller News Innovation Awards 2018 - in association with Techbuyer.

Champagne Reception kicks off Reseller News Innovation Awards 2018
Chasing innovation: how Kiwi partners can create a new customer agenda

Chasing innovation: how Kiwi partners can create a new customer agenda

This exclusive Reseller News Roundtable - in association with Rhipe and Microsoft - detailed a blueprint for customer success, outlining the new role of the modern-day partner and wider network in New Zealand.

Chasing innovation: how Kiwi partners can create a new customer agenda
Show Comments