Canadian Agency Narrowly Avoids Breach from Zero-Day FlawNo Data Lost, But Tax-Filing Website Shut Down as a Precaution
Canadian authorities managed to halt a cyberattack against its statistics agency that exploited a software flaw in Apache Struts 2, a web application development framework.
Statistics Canada caught the intrusion before any data was stolen, Reuters reports. As a precaution, the country also shut down its revenue agency website, used for filing tax returns, on March 10.
John Glowacki, chief operating officer of Shared Services Canada - the federal government's IT service provider - said during a March 13 technical briefing for reporters that affected sites were fixed and restored by March 12, Reuters reports. He also claimed that other countries "are actually having greater problems with this specific vulnerability," although did not name the countries.
CRA is pleased to report that all of its digital services were returned to service on Sunday, March 12.— CanadaRevenueAgency (@CanRevAgency) March 13, 2017
CRA does not anticipate any delays in processing tax returns due to this service interruption.— CanadaRevenueAgency (@CanRevAgency) March 13, 2017
Apache Struts is open-source software that is used for building and maintaining Java web applications. Airlines, car rental firms, e-commerce shops, social networks and government agencies are among the many types of organizations that use it.
A security researcher, Nike Zheng of DBAPPSecurity, discovered a zero-day vulnerability in Apache Struts 2 that could be remotely exploited. That's the worst kind of software flaw, as it means that there's no patch, and attackers might be abusing it. Given the wide use of Apache Struts, it also means many organizations need to patch (see Apache Struts 2 Under Zero-Day Attack, Update Now).
Even before this flaw was discovered, attackers were regularly searching for web applications that include built-in Apache Struts functionality, then attempting to exploit Struts, the security firm Imperva warned in early January.
"Attackers launch reconnaissance attacks on a variety of web applications to find one that is not patched," Ajay Uggirala and Gilad Yehudai of Imperva write in a blog post. "This tactic is very effective."
Since 2010, Apache Struts has had 68 other remote code execution vulnerabilities, Mia Joskowicz and Nadav Avital of Imperva write in a March 13 blog post. "This is yet another incident that adds up to a long list of vulnerabilities in this framework," they say of the new zero-day Struts 2 flaw.
Warning: Patch Now
The Apache Software Foundation issued a patch for that flaw on March 8, advising users to update to Struts version 2.3.32 or 220.127.116.11.
The problem, CVE-2017-5638, exists in a Struts feature called the Jakarta Multipart parser, which is used to upload files. The flaw could allow an attacker to craft a malicious Content-Type value within an HTTP request, which would cause the software to throw an exception, Tom Sellers of the security company Rapid7 writes in a blog post.
"When the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed," he writes. No authentication credentials are required to launch the attack.
Imperva's researchers write that they've seen several thousand attacks between March 7 and March 12 originating from 1,323 IP addresses in 30 countries.
Security experts expect the flaw to be widely exploited. Shortly after the flaw was announced, Rapid7 began monitoring for attempts to exploit the vulnerability across a network of honeypots it has within five major cloud services providers and across other private networks (see Scans Confirm: The Internet is a Dump).
Rapid7 says the first malicious requests attempting to exploit the flaw were spotted on March 7. The next day, Rapid7 caught a sample of the Linux malware installed using the vulnerability, a type of distributed denial-of-service application called XOR DDoS.
Cisco's Talos research group has also spotted a more aggressive attack campaign that exploits the Struts 2 vulnerability. It starts by trying to disable a Linux firewall, then tries to deliver payloads ranging from an IRC bouncer to other botnet and denial-of-service code.
"Patching this flaw should be your top priority right now," says Johannes Ullrich, dean of research for the SANS Technology Institute, in a recent SANS newsletter. "We have observed exploit attempts shortly after the flaw became known. Exploitation is trivial and tools to exploit this problem are readily available."
Ullrich adds that organizations should inventory all applications for any potential use of Struts 2 functionality because "Struts can be a component of many Java-based web applications," including JBoss and HipChat.
Executive Editor Mathew Schwartz contributed to this story.