Akamai Diversity

Akamai Security Intelligence
& Threat Research

Attack Status: Apache Struts Vulnerability (CVE-2018-11776)



This blog post is a follow-up to https://blogs.akamai.com/2018/08/apache-struts-vulnerability-cve-2018-11776.html and its purpose is to highlight attack data we have seen on the Akamai network related to this vulnerability.

Apache Struts OGNL Attacks

Due to previous Apache Struts vulnerabilities that have been released over the recent years, we normally see a pretty steady stream of attacks aimed at our Kona Site Defender (KSD) and Web Application Protector (WAP) customers.  It is also important to note that we typically see an uptick in attacks when new vulnerabilities are announced.  Figure 1 shows data on our Threat Research Grafana board for the past year and lists alert triggers for one of our Apache Struts OGNL rules.

Figure 1: Apache Struts OGNL Attack Triggers

The important point to highlight are the corresponding increases in triggers related to the public announcement of Apache Struts vulnerabilities -

  • S2-055 -- A RCE vulnerability in the Jackson JSON library

  • S2-056 -- A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin

  • S2-057 -- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set.

CVE-2018-11776

Once Apache released information on this new CVE, we quickly analyzed Proof of Concept (PoC) exploit code and automatically updated the detection logic in our WAF products to identify this new vector.  We can once again review how this data looks on our Grafana boards in Figure 2 by narrowing our focus to the past couple of days.

 

 

Figure 2: Attacks Correlated to Public Vulnerability Details

Today, I analyzed alert triggers on our Cloud Security Intelligence (CSI) platform and filtered my search only for triggers related to this new CVE.  Here is what I found:

  • There were 2473 triggers in the past 12 hours.

  • These were triggered from 86 different IP addresses

  • Attacks targeted 681 customer domains.  

Attack Sources

The top attack sources is by number of attacks is Hong Kong and coming in at second place is Dynamic Application Security Testing (DAST) vendor Whitehat Security.  

 

Pivoting from the number of attacks to how quickly attacks leveraged the new exploit details is important. This is actually an important metric which Akamai is able to observe from our vantage point - Which commercial DAST vendors are fastest at adding checks for emerging vulnerabilities?  In this case, Whitehat Security was the first DAST vendor we observed.

Attack Payloads

All payloads we have seen thus far are vulnerability confirmation attempts and not attempts to actually exploit, steal data, or install malicious code.  Here are two examples:

Adding a new response header:

Using timing with the "sleep" command:

 

While these specific payloads are benign, this could the initial reconnaissance phase where vulnerable target sites are being identified for a later attack.

Multi-Layered Detections

Similar to what we saw with the previous Drupalgeddon2 Exploits, WAF rules were not the only detection logic that triggered on these exploit attempts.

  • Client Reputation - For KSD customers who also have Client Reputation, they also received enhanced protections as our intelligence feeds were automatically updated with threat scores in the Web Attacker category.

  • Bot Manager (BotMan) - for KSD customers who also have BotMan, these attacks were also identified as automated scripts and bots.

These are critical complementary protections that are constantly updated and provide protections against 0-day exploit attempts by leveraging intelligence on the source of the attack.

Conclusion

It is paramount that organizations have policies, plans and procedures for handling public disclosure of a vulnerability in software they are using.  As we showed in the blog post, attackers are monitoring these public disclosures and are very quick to modify their own processes to leverage new vectors for their attacks.  In addition to software patching, organizations should ensure that they are leveraging the full defensive capabilities of their web application security provider.

 

Leave a comment