WARNING – HACKERS PREPARING TO LAUNCH ATTACKS AGAINST SUSPCETIBLE APACHE STRUTS 2 SYSTEMS
Nov 8, 2018
In the last 24 hours, CTI has gathered additional details about the vulnerability CVE-2016-1000031. Once again, we suspect threat actor group BOLIC14 to be exploiting the vulnerability in the wild.
On 19th September 2018, CTI have gathered evidences suggesting that threat actor group BOLIC14 is performing large scale passive reconnaissance and targeting thousands of vulnerable systems using Struts2 RCE exploit – named PsionApache2 under the Bleeding Thunder campaign.
On 5th September 2018, CTI have noticed high scale passive port scanning originating repeatedly from a few identified Russian IP addresses and hackers claims of developing PsionApache2, an exploit for Apache Struts 2 vulnerability.
On 26th August 2018, CYFIRMA Threat Intelligence Team (“CTI”) intercepted multiple discussion threads in dark web channels about an exploit of remote code execution vulnerability (CVE-2018-11776) in Apache Struts 2 systems. The malicious actors were found discussing about launching reconnaissance campaign to find vulnerable websites and target them with the exploits created.
CYFIRMA Risk Rating for this Out of Band Notification is: CRITICAL
Analysis of captured hackers’ footprints and correlation with external threat vectors indicate that this is a potential threat, and your organization is advised to take precautionary measures as highlighted in this report.