The Apache Struts web development framework has received new security updates to address a critical vulnerability that could allow attackers to compromise web applications and servers.
Apache Struts is widely used for developing web applications in enterprise environments. The failure to patch a known critical vulnerability in the framework led to the massive data breach announced last year at Equifax.
The new flaw, tracked as CVE-2018-11776, was discovered by Man Yue Mo from the Security Research Team at Semmle, a company whose technology can find vulnerabilities in source code by using a specially developed query language. The company’s research team found similar flaws in Struts in the past.
“It is possible to perform a RCE [remote code execution] attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace,” the Struts developers said in a security advisory. “Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”
Users are advised to update their Struts deployments to versions 2.3.34 or 2.5.16, depending on which branch they use. Older versions of Struts that are no longer officially supported also might be vulnerable.
Developers also can protect their applications by verifying that they always set a namespace for their defined results in configurations, as well as a value or action of all URL tags in JSPs. However, the Struts team warns that this workaround is weak and the best course of action is to update the framework to a patched version, especially since the new releases only contain this security fix and shouldn’t cause any incompatibilities with existing code.
Apache Struts is an attractive target for hackers and, judging by past incidents, proof-of-concept exploits and real-world attacks are likely to appear soon.
“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” Pavel Avgustinov, VP of Engineering at Semmle, said via email. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”
Turla Cyberespionage Group Controls Infected Computers via Hidden Emails
The Turla cyberespionage group uses an unusual command-and-control technique: Commands are embedded in PDF files that are sent to victims via email and are then hidden by the malicious program.
Turla or Uroboros, is a highly successful APT group of Russian origin that has been targeting government organizations, state officials, diplomats and military authorities from many countries since 2008. Its main backdoor program dates back to 2009 and has undergone many modifications and improvements over the years.
“The most recently discovered version, from April 2018, incorporates the ability to execute malicious PowerShell scripts directly in computer memory, which is a tactic that threat actors of various stripes have been embracing in the past few years,” researchers from antivirus vendor ESET said in a blog post.
ESET has also published a new paper that analyzes the backdoor in detail, including its ability to receive commands and exfiltrate data through PDF files, a functionality that was added over the past two years.
The Turla backdoor targeted The Bat! email client in the past, which is popular in Eastern Europe, but recent versions are focused on Microsoft Outlook. In particular, the backdoor uses the COM object hijacking technique to achieve persistence on computers and to attach itself to the Outlook process. This allows it to activate itself each time the application is opened.
Furthermore, the backdoor abuses Outlook’s Messaging Application Programming Interface (MAPI) to access victims’ mailboxes. This allows it to gather and exfiltrate data about received emails, but also to hide emails received from attackers and to block notifications about them.
“In each incoming email, the backdoor checks for the presence of a PDF that may contain commands from the attacker,” the researchers said. “In fact, it is ‘operator-agnostic,’ meaning that it accepts commands from anybody who can encode them into a PDF document. As a corollary, Turla’s operators are able to regain control of the backdoor by sending a command from any email address, should any of their hardcoded – but updatable – email addresses be blocked.”
Similarly, exfiltrated data is encoded into a PDF document and emailed back to the attackers, making it the only cyberespionage threat that is fully and exclusively controlled via email and PDF attachments.