Apache Struts exploit found in Mirai variant may signify shift in attack strategy

News by Bradley Barth

Researchers for the first time have discovered a variant of the Mirai Internet of Things botnet that targets a vulnerability found in unpatched versions of the open-source Apache Struts web app development platform.

Researchers for the first time have discovered a variant of the Mirai Internet of Things botnet that targets a vulnerability found in unpatched versions of the open-source Apache Struts web app development platform.

That bug is none other than the infamous CVE-2017-5638, a remote code execution flaw that was exploited in the Equifax data breach, according to a 9 September blog post from Palo Alto Networks’ Unit 42 threat research division. And the decision to strategically incorporate this bug could indicate a larger movement from consumer device targets to enterprise targets," reports post author and researcher Ruchna Nigam.

CVE-2017-5638 is actually just one of 16 vulnerabilities that the Mirai variant abuses, including RCE and command injections bugs in a wide variety of networking devices, routers, CCTVs and DVRs.

Unit 42 researchers uncovered samples of the Mirai variant on 7 September, tracing the threat to a pair of malicious domains, one of which was used in August to spread a new version of a second IoT botnet called Gafgyt.

The Gafgyt variant had been updated to include an exploit for CVE-2018-9866, a recently discovered, critical remote code execution bug found in older, unsupported versions of SMB cyber-security firm SonicWall’s Global Management System (builds 8.1 and earlier).

"These samples first surfaced on 5 August, less than a week after the publication of a Metasploit module for this vulnerability," and less than three weeks after SonicWall disclosed the issue in a 17 July security advisory, Nigam said in the post.

Studied samples of the Gafgyt variant also included exploits for devices from Huawei and D-Link, and can launch a "Blacknurse" low-bandwidth Internet Control Message Protocol (ICMP) DDoS attack.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews