Apache Struts is Back

This week, the Alert Logic ActiveIntelligence team highlights how Apache Struts Makes a Comeback and how RawPOS POS Malware Tweaked to Avoid Detection.

Breach

Apache Struts Makes a Comeback

Hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks, government agencies, and large Internet companies. The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit.

The vulnerability resides in what's known as the Jakarta file upload multipart parser, which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function. Apache Struts versions affected by the vulnerability include Struts 2.3.5 through 2.3.31, and 2.5 through 2.5.10. Servers running any of these versions should upgrade to 2.3.32 or 2.5.10.1 immediately.

References: Hackers Exploit Apache Struts Vulnerability to Compromise Corporate Web Servers | 7 Things That Happened After WikiLeaks Dumped The CIA Hacking Files | Critical Vulnerability Under “Massive” Attack Imperils High-Impact Sites

Mitigation Strategies:

Malware

RawPOS POS Malware Tweaked to Avoid Detection

RawPOS, which has been in operation since 2008, has compromised Numerous retail operations of various sizes. Despite being almost a decade old, RawPOS is still going strong and cybersecurity researchers have discovered a new version of it which it said has remained undetected by an unnamed 'legacy antivirus vendor' for over a month.

Researchers have concluded that the newer variant of RawPOS has no new functionality, because it is most likely an attempt to evade signatures, as evidenced on the code areas that changed.

References: RawPOS Malware Rides Again | One of the Oldest Forms of POS Malware Has Been Tweaked to Avoid Detection

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Log management could detect any suspicious user account activity
  • Netflow traffic may also reveal large data transfers and potential data leakage. Netflow traffic may also reveal outbound connections to countries you may not do business in, which may be an indicator of malicious activity

This Week's Suspicious IP Addresses

61.177.172.37 61.177.172.19
166.111.77.32 188.118.2.26
81.183.56.217 46.109.168.179

*IP addresses provided by Recorded Future.