Hackers Exploiting Critical Apache Struts Flaw

The Shadowserver Foundation, which tracks malicious activity, on Wednesday detected initial activity with a limited number of IP addresses engaged in exploitation attempts.

See Also: 10 Belt-Tightening Tips for CISOs to Weather the Downturn

The Australian Signals Directorate in a Thursday security advisory likewise warned that “exploitation attempts have been observed globally.” The Computer Emergency Response Team of France issued a similar alert stating it is aware of exploitation attempts.

The Apache Foundation, which manages the Struts library, on Dec. 7 urged developers to apply a patch to resolve a flaw enabling a path traversal attack – that is, enabling access to other directories on a web server that an attacker shouldn’t have access to and in some cases the ability to upload a malicious file for remote code execution. The flaw is tracked as CVE-2023-50164 and carries a CVSS score of 9.8 out of 10.

Apache Struts is an open-source framework for developing Java EE web applications. Several Fortune 100 companies and government organizations worldwide use it. It gained disproportionate fame in 2017 as the software Chinese state hackers exploited to gain access to U.S. credit reporting agency Equifax, resulting in a data breach that affected nearly every adult American. Equifax let a critical flaw in the online framework go unpatched for months after the Apache Foundation disclosed it.

Cyberthreat intelligence firm Akamai also recorded exploit attempts of this new flaw. “Attackers aim to deploy webshells, with some cases targeting the parameter ‘fileFileName’ – a deviation from the original exploit PoC,” Akamai said.

This security flaw’s exploitation could result in the attacker modifying sensitive files, data theft, service disruption or even lateral movement within the network, experts said.

Cybersecurity firm Praetorian said the exploitation of CVE-2023-50164 involves several preconditions dependent on the behavior and implementation of the application using Apache Struts. “It will be very difficult for an attacker to scan for and exploit this vulnerability at scale,” the firm wrote.

Security researcher Jakab Ákos published a technical blog explaining how threat actors could manipulate file upload parameters in attacks. This was followed by another technical analysis, which contained the exploit code. Steven Seeley of Source Incite, to whom Apache attributed the bug’s finding, called it a “correct analysis.”

American data management firm Veritas and networking giant Cisco are both currently investigating CVE-2023-50164 to assess the impact on its products that use Apache Struts. Veritas has listed 24 products that it is investigating, and Cisco has listed more than 20 products currently under investigation.