Apache Struts Vulnerability CVE-2018-11776

  • 1
  • Idea
  • Updated 3 months ago
On Wednesday, August 22, 2018, the Apache Foundation released a security bulletin for a critical vulnerability in the Apache Struts framework.
Applications developed using Apache Struts are potentially vulnerable. The vulnerability (CVE-2018-11776) was identified and reported by Man Yue Mo from the Semmle Security Research Team, which works to find and report critical vulnerabilities in widely used open source software.
 
https://semmle.com/news/apache-struts-CVE-2018-11776
 
There are now 2 IDS signatures in your current LANGuardian ruleset on the Apache Struts Vulnerability CVE-2018-11776:
  • 'ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M1'  sid 2026025'
  • 'ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M2'  sid 2026026'
We have also added the following domain to our web blacklist, a mining pool used by attackers upon successful exploitation of CVE-2018-11776. Accesses to the us-east.cryptonight-hub.miningpoolhum.com domain indicates cryptomining activity.

The quickest way to monitor for this activity is to run a Security :: DNS Lookups Associated with Malware Domains by User report with the Host Name set to: us-east.cryptonight-hub.miningpoolhub.com
 
A second report to run would be an All Events :: Events by Signature with Signature Name set to CVE-2018-11776.
 
Both of these reports should be saved as custom reports which could then be added to one of your dashboards. 
 
And, as always, if you have questions about any aspect of LANGuardian, please contact us on support@netfort.com any time.


Kind Regards,


Laura
Technical Support Engineer
NetFort Technologies

Tel        +353 91 42 6565
Join me on LinkedIn: https://www.linkedin.com/in/lauramurphygalway/
Photo of Laura Murphy

Laura Murphy, Official Rep

  • 5 Posts
  • 0 Reply Likes

Posted 3 months ago

  • 1

Be the first to post a reply!