Best Security Search
Security News

Cerber Ransomware Spreads Through Apache Struts 2 Issue

The infamous Cerber ransomware is being actively spread by computer hackers via a dangerous vulnerability identified in the Apache Struts 2 application.

Apache Struts 2 Vulnerability Used To Spread Cerber Ransomware

A recently discovered vulnerability in the Apache Struts 2 program has allowed malicious users to exploit it and launch a devastating Cerber ransomware distribution campaign. This is a widely used open-source web application framework which is used to develop Java web applications. The identified issue allows for remote attackers to initiate a remote control execution (RCE) using a malicious content-type value. If the value isn’t valid an exception is created which displays an error message to the user. The issue has been rated as critical and all users of the framework are urged to upgrade to the newest versions. The affected Apache Struts 2 versions are Struts 2.3.5 – Struts 2.3.31 and Struts 2.5 – Struts 2.5.10. The upgrade path is to 2.3.32 or 2.5.10.1.

A relevant CVE report has been generated which carries the CVE-2017-5638 identifier. It reads the following: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

The SANS Institute Storm Center indicated last week that they have detected numerous attempts during the past month to exploit the vulnerability. According to their data a large-scale coordinated attack carrying the Cerber ransomware is abusing the vulnerability. For four days the honeypot servers on their network have receive 300 hits carrying the dangerous virus. The attack came from a Chinese IP which is probably a gateway used by the hackers.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Its interesting to note that in the attack campaign the payment instructions are placed on the infected machine in an unencrypted README file. The payment is initiated in a gateway found on the TOR anonymous network. The ransomware note itself contains the list of addresses used in this iteration of the virus. As always upon infection the virus starts its usual behavior patterns which modify the infected machine and encrypt the target user data. There is no major difference in the process – the virus proceeds to encrypt a predefined list of file type extensions all of which are renamed using random extensions. The vulnerability is dangerous when it is used in conjunction with an Apache web server running with root privileges. The attackers are using advanced network scanners to look out for such instances. Once a target has been identified the criminals use a three-step infection process:

  1. The attackers scan for a suitable target server which uses the Apache web server and the Struts 2 framework.

  2. The hackers craft a webserver request packet which includes the relevant malformed content type message.

  3. The remote command execution vulnerability is triggered and the Cerber ransomware is placed on the victim machine.

Note: The criminals are using predefined command-line injection commands to launch Cerber ransomware attacks. It is very possible that they may change tactics and switch to another virus or attempt to infect the target computers with another type of threat. This is the reason why end users should use a quality anti-malware solution to protect themselves. Such products can easily removed even the most persistent threat.

The vulnerability has allowed the hackers to run Windows tools such as shell commands and the ITSAdmin tool to download and install the Cerber ransomware. The script uses the BITSAdmin application to download the malware from a C&C server. The Cerber is found in a “UnInstall.exe” file saved in the %TEMP% directory. After this the malware is launched which starts the infection process.

F5 Network Staff analyzed the obtained Bitcoin address given to the victims and discovered that 84 Bitcoins have been sent to it. This is about 100 000 US Dollars in equivalent which means that the attack campaign has already succeeded.

As always we recommend that users install and use a quality anti-spyware product which is able to protect their computes from all types of malware. This product has an advanced engine which can detect and immediately prevent hacker attacks and viruses from infiltrating the computer.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.