A critical Apache Struts vulnerability disclosed last week is being actively exploited in the wild to maliciously install a popular cryptocurrency miner on victim systems, according to researchers.
Experts at security vendor Volexity warned earlier this week that they spotted the activity shortly after a proof-of-concept exploit was made public.
“The in-the-wild attacks observed thus far appear to have been taken directly from the publicly posted PoC code. In this instance, Apache Struts is vulnerable due to a improper validation of namespace input data, and the flaw is trivial to exploit,” the firm explained.
“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27.”
The CVSS 10.0 vulnerability was revealed last week, with experts urging admins to patch as soon as possible to protect their systems. A flaw in the popular web application framework was exploited infamously last year when Equifax failed to apply an available update, resulting in a data breach though to have affected nearly half of all Americans.
Advice from the Apache Software Foundation is to upgrade to Struts 2.3.35 or Struts 2.5.17.
There could be more danger ahead for organizations which fail to patch promptly, as the flaw itself enables remote code execution and could theoretically allow attackers to access a targeted system.
Recorded Future revealed it had “detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,” while Volexity claimed it has “observed multiple APT groups leveraging Apache Struts vulnerabilities to gain access to target networks.”
Trend Micro revealed in its midyear roundup report this week that detections for cryptocurrency miners rocketed 956% from the first half of 2017 to the first six months of this year.