Application Security , Data Breach , DDoS

Canadian Agency Narrowly Avoids Breach from Zero-Day Flaw

No Data Lost, But Tax-Filing Website Shut Down as a Precaution
Canadian Agency Narrowly Avoids Breach from Zero-Day Flaw
The Canada Revenue Agency's headquarters in Ottawa. Photo: Michel Rathwell (Flickr/CC)

Canadian authorities managed to halt a cyberattack against its statistics agency that exploited a software flaw in Apache Struts 2, a web application development framework.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Statistics Canada caught the intrusion before any data was stolen, Reuters reports. As a precaution, the country also shut down its revenue agency website, used for filing tax returns, on March 10.

John Glowacki, chief operating officer of Shared Services Canada - the federal government's IT service provider - said during a March 13 technical briefing for reporters that affected sites were fixed and restored by March 12, Reuters reports. He also claimed that other countries "are actually having greater problems with this specific vulnerability," although did not name the countries.

Apache Struts is open-source software that is used for building and maintaining Java web applications. Airlines, car rental firms, e-commerce shops, social networks and government agencies are among the many types of organizations that use it.

A security researcher, Nike Zheng of DBAPPSecurity, discovered a zero-day vulnerability in Apache Struts 2 that could be remotely exploited. That's the worst kind of software flaw, as it means that there's no patch, and attackers might be abusing it. Given the wide use of Apache Struts, it also means many organizations need to patch (see Apache Struts 2 Under Zero-Day Attack, Update Now).

Even before this flaw was discovered, attackers were regularly searching for web applications that include built-in Apache Struts functionality, then attempting to exploit Struts, the security firm Imperva warned in early January.

"Attackers launch reconnaissance attacks on a variety of web applications to find one that is not patched," Ajay Uggirala and Gilad Yehudai of Imperva write in a blog post. "This tactic is very effective."

Since 2010, Apache Struts has had 68 other remote code execution vulnerabilities, Mia Joskowicz and Nadav Avital of Imperva write in a March 13 blog post. "This is yet another incident that adds up to a long list of vulnerabilities in this framework," they say of the new zero-day Struts 2 flaw.

Warning: Patch Now

The Apache Software Foundation issued a patch for that flaw on March 8, advising users to update to Struts version 2.3.32 or 2.5.10.1.

The problem, CVE-2017-5638, exists in a Struts feature called the Jakarta Multipart parser, which is used to upload files. The flaw could allow an attacker to craft a malicious Content-Type value within an HTTP request, which would cause the software to throw an exception, Tom Sellers of the security company Rapid7 writes in a blog post.

"When the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed," he writes. No authentication credentials are required to launch the attack.

Attacks Ongoing

Imperva's researchers write that they've seen several thousand attacks between March 7 and March 12 originating from 1,323 IP addresses in 30 countries.

Security experts expect the flaw to be widely exploited. Shortly after the flaw was announced, Rapid7 began monitoring for attempts to exploit the vulnerability across a network of honeypots it has within five major cloud services providers and across other private networks (see Scans Confirm: The Internet is a Dump).

Rapid7 says the first malicious requests attempting to exploit the flaw were spotted on March 7. The next day, Rapid7 caught a sample of the Linux malware installed using the vulnerability, a type of distributed denial-of-service application called XOR DDoS.

Cisco's Talos research group has also spotted a more aggressive attack campaign that exploits the Struts 2 vulnerability. It starts by trying to disable a Linux firewall, then tries to deliver payloads ranging from an IRC bouncer to other botnet and denial-of-service code.

"Patching this flaw should be your top priority right now," says Johannes Ullrich, dean of research for the SANS Technology Institute, in a recent SANS newsletter. "We have observed exploit attempts shortly after the flaw became known. Exploitation is trivial and tools to exploit this problem are readily available."

Ullrich adds that organizations should inventory all applications for any potential use of Struts 2 functionality because "Struts can be a component of many Java-based web applications," including JBoss and HipChat.

Executive Editor Mathew Schwartz contributed to this story.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a 20-year veteran journalist who has reported from more than a dozen countries. An expat American now based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked for 10 years from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network