TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Apache Struts 2 Vulnerability (CVE-2018-11776) Exploited in CroniX Crypto-Mining Campaign

2018-09-04 · Read original ↗

ATT&CK techniques detected

9 predictions
T1053.003Cron
98%
"server ’ s ip address or its domain name. during the download, it uses a special “ linux ” user - agent ( in some cases “ linux ” with upper case l ) as an access restriction mechanism, while ip accessing with any other user - agent is banned. another job starts a file located in…"
T1190Exploit Public-Facing Application
98%
"threat actor seems to have quickly adopted one of these exploits in its arsenal. recall that just a year and a half ago, equifax was hit with another vulnerability on its apache struts 2 servers ( cve - 2017 - 5638 ). that attack resulted in the exposure of personally identifiabl…"
T1190Exploit Public-Facing Application
94%
"apache struts 2 vulnerability ( cve - 2018 - 11776 ) exploited in cronix crypto - mining campaign just two weeks ago a new apache struts 2 critical remote code execution vulnerability was published, 1 and f5 researchers have already detected known threat actors exploiting it in a…"
T1204.002Malicious File
93%
"and “ upd ” bash scripts. figure 8 : downloading additional malicious files figure 8 : downloading additional malicious files two additional binary executables — “ xmrig ” and a file called “ h ” — are downloaded, each having a x86 and a x64 version. figure 9 : downloading x86 an…"
T1204.002Malicious File
77%
"##mrig ” crypto - mining while faking its process name to “ java ”. the created process id is written to a file named “ pid ”, so the “ upd ” script could kill and restart this process later. figure 12 : script file runs xhide process hider with a preconfigured xmrig miner figure…"
T1190Exploit Public-Facing Application
73%
"minerpool. pw ” as seen in the following dns request. figure 14 : dns query to the get the mining pool server ’ s ip address figure 14 : dns query to the get the mining pool server ’ s ip address once resolving the pool ’ s domain, the attacker checks into the mining pool : figur…"
T1496Resource Hijacking
53%
"##mrig ” crypto - mining while faking its process name to “ java ”. the created process id is written to a file named “ pid ”, so the “ upd ” script could kill and restart this process later. figure 12 : script file runs xhide process hider with a preconfigured xmrig miner figure…"
T1059.001PowerShell
39%
"##ta holds a visual basic script that calls a microsoft windows cmd to run a powershell command on a targeted victim. so, it seems this threat actor is targeting windows os ( not just linux ) using another operation hosted on the same server. figure 2 : another file found on the …"
T1496.001Compute Hijacking
37%
"##mrig ” crypto - mining while faking its process name to “ java ”. the created process id is written to a file named “ pid ”, so the “ upd ” script could kill and restart this process later. figure 12 : script file runs xhide process hider with a preconfigured xmrig miner figure…"

Summary

Attackers are exploiting new vulnerabilities almost as quickly as they're being discovered.