Late last year, an Apache Struts Remote Code Execution (RCE) vulnerability (CVE-2020-17530) was discovered. In Apache Struts versions 2.0.0 - 2.5.25 a forced Object Graph Navigational Language (OGNL) double evaluation of a tag's dynamic attributes may lead to RCE. Apache Struts is one of the most popular web frameworks on the internet, and is often a target by malicious threat actors due to its public facing nature. This RCE vulnerability is dependent on how a specific Apache Struts web application is configured which can make detection, defense, and risk analysis a complex task.
The vulnerability can be exploited by sending a specially crafted HTTP request containing an OGNL payload to a vulnerable server. The Apache Struts framework can be forced to perform a dobule evalution of attributes assigned to certain tag's attributes (such as "id"). The value passed to the Apache Struts application will be evaluated for a second time when the tag's attributes are rendered. If you are using Apache Struts in your environment, this vulnerability has been patched since Apache Struts v2.5.26 release and we highly recommend updating as soon as possible. This RCE vulnerability has been seen in the wild and is currently being used in active, malicious campaigns.
If you'd like to learn more about this vulnerability, you can find a proof of concept exploit for CVE-2020-17530 written in Python on the Cyborg Security GitHub account:
https://github.com/CyborgSecurity/CVE-2020-17530
video-embed
For more deep dives, view our latest, Threat Hunt Deep Dives: SolarWinds' Supply-Chain Compromise (Solorigate / SUNBURST Backdoor).
Guided Threat Hunts offers a library of Pivot Queries for hundreds of hunt packages that enable your threat hunters and analysts to overcome uncertainty and boost productivity. Guided Threat Hunts is a set of packages that assists users modify their result set to decide their next step and filter out noise from extraneous results.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
After compromising a system, attackers seek ways to maintain persistence. Here's how to threat hunt for a common persistence method used by attackers including DragonForce.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.