Recently one of the largest credit management organizations in the US was compromised, with around 143 million accounts stolen. As has been reported, these accounts included personally identifiable information (PII) such as names, addresses, social security numbers, credit histories, and even credit card information.
It now appears that this crime was enabled through an exploit that targeted a Java vulnerability in Apache Struts 2, which is an open-source web application framework for developing Java web applications that extends the Java Servlet API to assist, encourage, and promote developers to adopt a model–view–controller (MVC) architecture.
This vulnerability is the result of unsafe deserialization of untrusted data, which can lead to vulnerabilities that allow an attacker to execute arbitrary code. It consists of an attacker creating and exploiting any sort of serializable object that can be found on the classpath before passing it back to the caller. This object can be designed to perform dangerous actions either during its construction or its finalization. This vulnerability can be discovered in Java object creation and queries.
FortiGuard Labs has been actively monitoring this Apache Struts 2 vulnerability, and has recorded an average of 40,000 daily attempts to exploit it. We are still normalizing our numbers internally to ensure no errors exist in this reporting; however, when new vulnerabilities have exploits released for them it is not surprising to see to a large number of attempts from automated or even non-automated methods targeting this vulnerability in attempting to penetrate a system.
FortiGuard Labs has designated the risk for this vulnerability as HIGH. It allows remote code execution on Apache Struts, and it appears that there are working exploits developed for this exploit.
Apache Struts 2 is an open-source web application framework for developing Java web applications.
Fortinet’s FortiGate and Fortinet Web Application Gateway products detect and protect against this vulnerability. Fortinet's endpoint protection FortiClient can detect the vulnerability on Mac OS X and Windows operating systems to add another layer of security protection. In addition, no Fortinet devices are vulnerable to this attack.
Fortinet has released the following signature to protect customers:
Default action: Drop
Fortinet continues to block nearly 40 thousand daily attempts across the globe to exploit this vulnerability.
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.