Security Architecture, Application security, Application security, Endpoint/Device Security, IoT, Network Security, Network Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Apache Struts exploit found in Mirai variant may signify shift in attack strategy

Researchers for the first time have discovered a variant of the Mirai Internet of Things botnet that targets an vulnerability found in unpatched versions of the open-source Apache Struts web app development platform.

That bug is none other than the infamous CVE-2017-5638, a remote code execution flaw that was exploited in the Equifax data breach, according to a Sept. 9 blog post from Palo Alto Networks' Unit 42 threat research division. And the decision to strategically incorporate this bug could indicate a larger movement from consumer device targets to enterprise targets," reports post author and researcher Ruchna Nigam.

CVE-2017-5638 is actually just one of 16 vulnerabilities that the Mirai variant abuses, including RCE and command injections bugs in a wide variety of networking devices, routers, CCTVs and DVRs.

Unit 42 researchers uncovered samples of the Mirai variant on Sept. 7, tracing the threat to a pair of malicious domains, one of which was used in August to spread a new version of a second IoT botnet called Gafgyt.

The Gafgyt variant had been updated to include an exploit for CVE-2018-9866, a recently discovered, critical remote code execution bug found in older, unsupported versions of SMB cybersecurity firm SonicWall's Global Management System (builds 8.1 and earlier).

"These samples first surfaced on August 5, less than a week after the publication of a Metasploit module for this vulnerability," and less than three weeks after SonicWall disclosed the issue in a July 17 security advisory, Nigam said in the post.

Studied samples of the Gafgyt variant also included exploits for devices from Huawei and D-Link, and can launch a "Blacknurse" low-bandwidth Internet Control Message Protocol (ICMP) DDoS attack.

SonicWall issued a statement to SC Media reiterating that Gafgyt exploits an older vulnerability as opposed to a newly discovered bug. "The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016," the statement reads. "Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018."


Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.