Security experts alert that cybercriminals have been exploiting a recently patched Apache Struts 2 flaw to distribute the Cerber ransomware.
The vulnerability, detected as CVE-2017-5638, can be used for remote code execution. The malware distribution using the bug started not long after a patch for the flaw was made available and a proof-of-concept (PoC) exploit was released.
Initially, the hackers used backdoors and distributed denial-of-service (DDoS) bots to target mostly Unix Operating systems. However, researchers recently detected a campaign that was targeting Windows devices.
Around March 20th, F5 Networks researchers noticed attacks against Windows OSs, delivering the Cerber ransomware. On Wednesday, SAND Technology experts reported detecting these attacks as well.
The crooks relied on the exploit to execute shell commands and run BITSAdmin as well as other command-like tools shipped with Windows OSs. These tools would then be used to download and launch Cerber. As a classic ransomware, Cerber encrypts victims` files and then demands a ransom sum in exchange for the special decryption tool. Victims are instructed to send the money to a Bitcoins address which was spotted in several campaigns. According to F5 Networks, currently, there are 84 Bitcoins in that address which equals almost $100,000.
“The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers.” – blogged F5 – “Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.”
Moreover, researchers warn that the Apache Struts flaw affects many products. On Wednesday, Corben Douglas, an independent security researchers, reported that he tested AT&T systems a couple of days after the exploit was released and they turned out vulnerable to attacks. Douglas added that he was able to execute commands on AT&T servers, which could have allowed him to take control over the entire company.