Why the new Apache Struts Vulnerability will be Targeted

Last week, a new Apache Struts vulnerability was announced (CVE-2018–11776). So the big question becomes when an exploit will become more fully weaponized. The other day, a proof-of-concept exploit was released.

At CYR3CON we’ve been focusing a lot on predicting which vulnerabilities that will be exploited — so we are looking at this as the first in a series of articles.

The thing we look at is threat — what vulnerabilities are the hackers going to target. When creating exploits, hackers have certain preferences that align with their knowledge, skills, and abilities. They want to create exploits quickly that are relevant to targets they are interested. So will hackers be interested in weaponizing CVE-2018–11776? Lets look at a few characteristics of the vulnerability and how they signify interest in the hacker community:

  • The vulnerability does not require user interaction are 13.3% more likely to be discussed by hackers
  • The vulnerability does not require privileges 6.7% more likely to be discussed by hackers
  • The vulnerability has a low attack complexity are 12.0% more likely to be discussed by hackers

The above CYR3CON platform leverages years of hacker community data (primarily deep and darkweb) communities. This data can provide insights into new vulnerabilities. All of the the above-mentioned characteristics are indicators of greater hacker interest. Taken together, we estimate a 35.3% increase in likelihood of hacker interest. Keep in mind, this resembles increase in likelihood over what is normal — which means these numbers are significant.

These factors of CVE-2018–11776 are aspects popular among hackers. It means that it is more likely for hackers to develop exploits and distribute in their communities. The impact on business? This is very comparable to the Equifax breach — it is a significant vulnerability.

With these characteristics, we can expect evolution beyond the proof-of-concept code to a more weaponized exploit such as a Metapsloit module or as part of a common malware platform.

As CYR3CON our recommendation is to mitigate this vulnerability by upgrading Apache struts. If the upgrade is planned early, it may be in-place in time prior to the recent proof-of-concept code becoming fully weaponized.