Latest Apache Struts 2 Vulnerability Potentially Affects Top 65 Of Fortune 100
PoC and two exploits have already been released, one of which is by Metasploits.
Apache Struts, enterprises, and attackers: A twisted love triangle
Early in March this year, an Apache Struts’ vulnerability was found actively exploited in the wild. After the advisory was released, the proof of concept (PoC) was seen published within 24 hours.
Apache Struts being as popular it is (65% of the Fortune 100 run on it), massive exploitation of the vulnerability was observed in the days that followed. Emboldened by the time it took to patch CVE-2017–5638, especially by enterprises, attackers progressed from Linux servers to Windows ones, dropping the Cerber ransomware on compromised servers.
Social and forum chatter rocketed. This had rarely ever happened before. Attackers had found a way to get to millions without ever needing to compromise as many clients.
ThreatLandscape caught the chatter early, mapped it to the vulnerability, and issued early warnings to our partners and customers.
“Watchtower to all listening posts, keep ears pricked for Struts!”
Given our tryst with Struts, we have been (and still are) on the watch for any further news about CVE-2017–5638 or anything else relating to Apache Struts.
CVE-2017–9805, a vulnerability in Struts’ REST plugin, was discovered and reported by security researchers at http://lgtm.com.
“The weakness is caused by the way Struts deserializes untrusted data.”
This was Bas van Schaik writing about the vulnerability and its impact on September 5.
Our waiting and listening had paid off.
Enter ThreatLandscape!
The ThreatLandscape platform picked up the PoC within a couple hours after it was published and alerted us to it. From then on, it was simply a matter of our algorithms making contextual associations between the PoC and published exploits, assigning increasing scores of criticality — all without clicking anything at all.
To put this in context, something like this would take days to arrive at. The timeline below shows how ThreatLandscape made it all a matter of hours.
At the time of publishing, publicly available exploits are only 24 hours old, still allowing CVE-2017–9805 to be practically treated a zero-day.
Let there be intelligence
A volume graph like this isn’t just pretty to look at. See past the shiny and you’ll notice CVE-2017–9805 (red box above) started trending in the two days before this report was published.
Each one of those entries including this vulnerability is drill-downable. With each click (we did say these would come), you are presented with additional context for each entry, connecting it to threat feeds occurrences, mentions in hand-picked security blogs, and rules triggered in our engine.
Pivoting further, you can then find related vulnerabilities, actor info, and further PoCs and exploits — on one unified interface.
Why threat intel
The days of waiting for the NVD to report a CVE or for a PoC to pop on your radar for, er, days is over. Not because it is nice to not wait for critical info — which it is, BTW — but because you can’t afford to.
Put this all into perspective for a moment. If you’re one of the top 65 businesses in the world, can you really afford a Cerber variant on your servers because you got late in getting info? I mean, what the $#*!
And if you’re not one of the top 65, do you willfully want to run the risk of not recovering from a ransomware attack — ever?
ThreatLandscape is already helping governments and enterprises preempt threat mitigation and reduce time to mitigation by 10X. Get in touch for a custom show-and-tell and a free consult on how we can help.
