Almost immediately following the disclosure of a critical remote code execution bug in Apache Struts last Tuesday, exploit code for the vulnerability was published online and attackers also reportedly began exploiting the flaw.
In an Aug. 7 blog post, Cisco Talos reported that most of the exploitation activity its researchers have observed so far appears to be scanning for websites and systems that are potentially vulnerable to the bug, designated CVE-2017-9805. These outbound HTTP requests have predominantly been coming from, and sending data to, a web address with a Russian .ru top-level domain.
However, Talos did find one example of a threat actor leveraging the bug to serve an unidentified, possibly malicious file. Judging from past exploits of Struts vulnerabilities, the payload could have been a DDoS bot, spam bot, or one of various other malicious payloads, the blog post notes.
Moreover, Ars Technica reported on Wednesday that exploit code for the vulnerability was released on the open-source Metasploit frameowrk, just one day after the vulnerability was disclosed by the individual who discovered it, lgtm researcher Man Yue Mo. In conjunction with this disclosure, the Apache Struts security team released an update to its open-source web application framework in order to fix the vulnerability, which allows attackers to seize control of any server running REST applications built with its product, due to an unsafe data deserialization process. Developers of vulnerable web applications are strongly encouraged to upgrade to the latest Struts release, version 2.5.13.