F5 Labs just detected a new Monero crypto mining campaign that exploits the latest Apache Struts 2 critical RCE vulnerability. Responsibly disclosed just two weeks ago by Semmle, known threat actors weaponized a PoC exploit published on GitHub and are currently exploiting the vulnerability to deploy “xmrigCC” crypto-miner.
Of note, just a year and a half ago, Equifax was hit via a similar vulnerability on its Apache Struts 2 servers (CVE-2017-5638).
Key features of the campaign include:
- CVE-2018-11776 Apache Struts 2 namespace vulnerability allows unauthenticated remote code execution.
- In this Monero crypto-mining campaign, the injection point is within the URL.
- Target: Both Windows and Linux systems.
- The campaign seems to be ran by the same threat actor (apparently Chinese origin) that was exploiting Jenkins vulnerabilitywe have reported in July, as it also uses the unique “XHide” process hider and has similar file names.
- Based on its use of cron (for persistency) and Xhide (for launching executables with fake process names), we have dubbed this campaign CroniX.
Full details of the attack can be found on F5 Labs: https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability–cve-2018-11776–exploited-in-cron